What’s on the webserver?
No other question has irked me more than this. What’s on the webserver?
It all began few years ago when our team hit a jackpot of web application vulnerabilities on various Government websites of India. Well. We did not know what to do about it. Being techies, we had little or no sense of bureaucracy involved in this sector. After a few days of calling up people and trying to explain them, we decided to go the Open disclosure way, convincing ourselves that this was required for the larger benefit of Nation. And there we stood at a press conference surrounded by reporters who had no idea what this was all about. And to add a cherry on the pie, the videos we recorded to demonstrate them would not play. Some problem with the media player. Finally one old gentleman asked. “What’s on the webserver?” And he continued… “so, you got inside.. well, that information is available even if I go and register on the site. What is so special? And with that information what can go wrong? After all they are just pages.. we get this info anyway..”
He had a point. But then how could I explain that a common man was not supposed edit details of things like tenders put up or send administrative mails that could impact a lot of people? It was a damp squid in the end. What we thought of as a major disclosure was shrugged off as weird teenagers wasting time.
Dejected, we watched these very Government websites being hacked over time during cyber warfares. Fast forward to present…
I read about Hackers Blog discontinuing their fantastic work. I am not surprised. This month, on Friday the 13th (hehe), I went ahead on TV9 Channel and disclosed that BSNL website was vulnerable. Showed a webshell which was uploaded by someone and explained how dangerous it was for all their customers even to visit the BSNL website. They were informed almost six months back. I even met the right people in their head office to explain the problem. But the same question popped up again… “What’s on the webserver?”
On one side, our good ol’ politician Mr.L.K.Advani promises of setting up DSA, focus on e-governance, ensure broadband is given at every home and what not… and then we have our IT-ACT law amendment which was passed few months back without a protest. I can’t help but think… how much would our ignorance cost us over time?
rajsm meets Advani!
Here, I would like to mention a special body. It goes by the name of CERT. If you ask me personally, I would like to play Rambo’s First Blood with them. They never bother to reply to any of your incident reporting or e-mails. They just sit on it and wait for it to hatch. Truly. Try talking to them.
Someday when we have everything on the cloud, I would like to see what happens when a hacker alters medical records of patients, and the nurse administers the wrong dose after checking the portal.
So what can we do? What can be done? In my view… we are saving them millions on assessments by giving them free knowledge of vulnerabilities. On the other hand, since it’s Government of the people, for the people, by the people, then why don’t we have the right to test and know if our sites are secure or not? As tax-payers, what is the assurance we can get on security of Government websites that hold all information and details about us and our Nation?
Here are something’s that must change:
1. Government websites must adhere to highest standards of Information security. The webmasters maintaining them must be held accountable if they fail to secure their servers over time after being informed with all details.
2. Corporate companies with a business presence in India must ensure their best to rectify / resolve security issues once it is brought to their notice. It should be a legal offence if they fail to address it in given time.
3. Open disclosures must be legalized, encouraged and a process must be setup to effectively utilize it’s advantages.
4. The Police / Cyber crime cell must undertake and support programs and organizations that work towards greater awareness of cyber crimes among teenagers and school students.
5. IT Act Laws must be drafted / amended after consulting experts from Industries and must have more options to embrace feedback to adapt as needed.
I hope as responsible netizens, we take steps to ensure a safer future of the community in the coming years before it’s too late. And not get to hear the question… “What’s on the webserver?” again.
