The new government’s push towards digital India through increased use of e-governance will have to wait for some time as the digital security of on-line transactions among government entities has been seriously compromised. The system infrastructure for generating digital certificates (DCs) at the National Informatics Centre (NIC), which is the digital certifying authority (CA) for use in government transactions, has been hacked into by an unknown agent. This breach has, on the one hand, put the digital security of all the certificates issued so far within the government domain in jeopardy and, on the other, has enabled the intruder to generate fake DCs as well as create fraudulent, but apparently certified, phishing websites. Till date the NIC-CA has issued about 2.5 lakh DCs.
The NIC is one of the six Indian CAs licensed by the Controller of Certifying Authorities (CCA) of the DeitY, which can issue DCs to government entities only. Now all the 2.5 lakh DCs stand vulnerable to malicious acts and cyber crime. For instance, if an end-user government agency is trying to access a particular land record, it can no longer be sure that it is authentic. Similarly, a recipient of data from a government agency cannot be certain that the data has not been tampered with.
The CA infrastructure of the NIC includes the main database and the main web server at its headquarters in New Delhi and a back-up site (called the Disaster Recovery site) sitting at Hyderabad. The software for generating these DCs has been supplied by the Tata Consultancy Services (TCS), which is also a CA in its own right, but for issuing DCs to private individuals and organisations only. Besides the TCS, some other CAs, such as the Institute for Development and Research in Banking Technology (IDRBT) that issues DCs to the banking sector, also uses the TCS software.
Image Courtesy: flickr.com
Interestingly, the main infrastructure at the headquarters has been non-operational and the data base non-accessible for the last one month or so apparently due to some local fire that occurred in the NIC premises, according to a highly reliable source in the DeitY. Effectively, therefore, only the back-up system at Hyderabad has been operating as the main CA infrastructure. It is also learnt that the TCS has an annual maintenance contract (AMC) with the NIC for the back-up system. According to the source, the CCA is required to carry out a complete audit of the back-up system before migrating to it for issuing DCs which was not done.
Unfortunately, no official statement on the incident is forthcoming despite all efforts to get an official statement. “I know nothing. Please address all your queries to the CCA,” said Dr. Gulshan Rai, Director-General of the Indian Computer Emergency Response Team (ICERT) at the Department of Electronics and Information Technology (DeitY). All attempts to reach the CCA at the DeitY, Mr. T. A. Khan, and the new director-general of the NIC, Mr. Rajeev Gauba, were in vain. Interestingly, the serious incident of fire itself, for some reason, was never made public. But now there is an attempt to hush up the hacking incident as well.
When contacted, Dr. Sundeep Oberoi, head of the Niche Technology Delivery Group at the TCS, the TCS wing involved in digital certification, said: “If NIC-CA’s system has had a problem, ask the NIC. The TCS has only provided the software.” Though he categorically denied that the TCS also operated the system, it is learnt that under some informal arrangement between the two entities, the TCS does operate it.
The hacking incident came to light only on July 2 when, Google informed the CCA and the NIC that Google had been issued three fake DCs, one on June 25 and two on June 30, by the NIC-CA when it had not applied for any. Apparently Yahoo too had similarly been issued a similar fake DC on June 30. These fake DCs issued to Google, for example, can be used for unauthorised access to Google Services or Google Docs, and likewise for Yahoo services.
Not receiving any satisfactory response from the CCA or the NIC, Google informed the ICERT at the DeitY as well. Indeed if Google had not alerted the CCA this incident would probably have never come to light. It is amazing that the NIC did not have an appropriate monitoring system in place to detect such intrusion. It speaks volumes about India’s capability as an ‘IT Super Power’.
On July 8 Google apparently gave the CCA a day’s notice to make a public statement on the incident. When nothing of that sort came, on July 9 Google posted a statement in its on-line security blog on the actions that Google had taken (http://googleonlinesecurity.blogspot.in/2014/07/maintaining-digital-certificate-security.html and https://code.google.com/p/chromium/issues/detail?id=392251).
According to Google’s statement, only Windows users would be affected because the CCA is listed only in Microsoft Root Store, which browsers such as the Internet Explorer and Google Chrome use. Already Google Chrome and Internet Explorer have derecognised websites certified by the NIC-CA as can be easily checked. If you, for example, put a Google search for ‘NIC CA’, or for any other website that has been certified by the NIC-CA, and click on the link, you will see the statement “There is a problem with this website’s security certificate”.
Only after Google made the matter public, the CCA informed Google that only four fake DCs were issued. While Google — and now perhaps Yahoo too, though it has not made any public statement — has blocked these fake certificates this may not be enough. As Google has correctly noted in a subsequent update, “we are also aware of misused certificates not included in that set of four and can only conclude that the scope of breach is unknown”. Without a proper root-cause analysis it will not be known when exactly was the first instance of hacking. And so it will not be clear how many such fake DCs were issued before June 25, and during June 25-July 2.
Indeed, on July 10, Microsoft too issued a Security Advisory (No. 2982792 at https://technet.microsoft.com/library/security/2982792) which cautioned that as many as 45 domains belonging to Google and Yahoo services have been rendered vulnerable because of these fake certificates issued to Google and Yahoo. “These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks,” the statement said.
Effectively Google has stated that till such time the CCA carries out a thorough investigation through a root-cause analysis of how this occurred, it will limit its internet services to certain specific .in domains only (such as ac.in and rbi.org.in), and that too for transactions within the country alone. Sources said that already many web sites used for e-governance purposes cannot be opened. The full impact of the hacking as well as the actions by Microsoft on the government digital infrastructure will slowly become clear, the source added.
Such incidents of compromised CAs are not new. The most recent one was in 2011 when fraudulent DCs were issued by Comodo, an American CA, and DigiNotar, a Dutch CA. But to get back on track and the DCs to be internationally recognised once again, the NIC will have to carry out a complete forensic analysis of the incident and that too by an international team, as these two companies did.
As of now both the CCA and the NIC-CA are clueless as to how this breach occurred. The hacker seems to have introduced a clever piece of code that bypasses the various check modules that exist in the system chain for issuing the DCs and enables the hacker to add on an additional arbitrary application in the queue. Also, the code is such that once a fake DC is generated, no trace of the hacker’s identity is left behind. The
According to the source, it could be the handiwork of either an external agent or an insider amounting to sabotage. If it is the former, there could have been loophole(s) in the software that the hacker has exploited. In case of suspect software, the other CAs who use the TCS software are also similarly vulnerable. If it is the latter, the saboteur has somehow accessed the various secret passwords and IP addresses to by-pass the check modules. But more seriously, ICERT’s efforts to access the system’s database, hardware and log-books for carrying a root-cause analysis are being stone-walled, in a bid to hush up the incident, the source said.
The immediate remediation that the CCA is preparing to take is to revoke all the DCs issued by the intermediary NIC-CA and issue fresh ones, which could take at least a couple of months. But this is only a knee-jerk reaction and clearly not the solution that Microsoft, Google or Yahoo is going to accept before the NIC-CA, which has now been branded as a ‘Rogue CA’, can be internationally recognised as a legitimate CA again.