Security breach in National Informatics Centre allowed hackers to issue fake digital Signature certificates

A major security breach of the NIC, which extends to all senior emails and websites of all central government departments, allows hackers to issue several fraudulent digital certificates, increasing global concerns about the practices of network security in India.

The NIC is one of the select few authorized entities can issue digital certificates and signatures that are at the core of secure Internet transactions. On 25 June, the hackers were able to break their safety and access to all the data in your home directory that hosts your most sensitive data. They published several false digital certificates that was not detected for several days.

Digital certificates help authenticate users and allow them to securely connect into emails, make payments and perform sensitive transactions. A fake certificate can compromise critical data such as passwords, and personal information of Internet users, as well as cause massive financial fraud if not detected.

With NIC not detect this failure, the matter would have been buried, but the alarms raised by global IT majors such as Google, Bing and Yahoo. Most Internet traffic passes through their browsers and search engines and a false certificate undetected could have resulted in major fraud and loss of sensitive data.

Since then, the NIC has tried to downplay the incident. "Our site was attacked from outside India. Auditors investigated between 4 and 7 July and urgent measures have been taken to mitigate the vulnerabilities," NIC CEO Ajay Kumar told Hindustan Times.

But on July 25, Matt Thomlinson of Microsoft, VP of security services wrote to the authorities controller TA Khan and RS Sharma, secretary in the technology department, certifying that expresses its deep concern about the lack of cooperation in addressing the violation of security. The ministry has also submitted misleading information to Parliament last week when questions were raised about the incident.

"They have been disappointed with the reluctance of your organization to share with us the research report," Thomlinson wrote.

"The current situation poses risks to consumers and businesses around the world ... (and) the attacker can alter based network audit logs and erase the evidence of the certificates being issued."

According Thomlinson, failure "raises serious concerns about the reliability" of the entire certification process safety in India.

"Microsoft supports an open, competitive certification authorities (CA) market. Each CA included in the trusted root store of Windows must meet certain requirements. Constantly monitor the threat landscape and respond when necessary to help protect our global customers, "he told HT.

Microsoft and Google were also upset with the government's investigation of India. IAS said on July 7 that there were only four false certificates. But two days later, Google found a fifth false certificate issued by the NIC. An internal investigation also revealed that the hacker had managed to break into the home directory of the root of the NIC to access all your data.

In a curious move that the government has restored the authority of the NIC to issue certificates, but also forbade them to do so for at least six months. Companies like Google and Microsoft have refused to accept certificates NIC and have stated many government websites certified by them as unsafe. Ironically, many key Indian websites and the website of the tax authority to enable the transfer of sensitive data are now dependent on foreign companies to certify their safety.

Apply Online Digital Signature Certificates through 'Digital Signature Mart ' Digital Signature Certificate in Delhi, India at very competative rates.

15:15 Share:

Controller of Certifying Authorities suspended three digital certificates

NEW DELHI: The Controller of Certifying Authorities (CCA) suspended three digital certificates issued by the National Informatics Centre Certifying Authority to prevent their misuse, Parliament was informed.

Digital Signature Certificates (DSCs) are issued by Certifying Authorities for electronic authentication of users, Communication and IT Minister Ravi Shankar Prasad told Lok Sabha.

The CCA, which is appointed under the Information Technology Act, 2000, licences Certifying Authorities to issue DSC.

DSCs are issued under Sub Section 4 of Section 35 of the IT Act and they facilitate e-commerce and e-filing of documents through authentication of users and their transactions, he added.

"Three certificates issued to NIC-CA were suspended by CCA. The unauthorised certificates that had been issued, were revoked by the NIC-CA. This was done to prevent misuse," Prasad said.

The incident has been investigated and the findings suggest that the perpetrators made an electronic intrusion in to the CA systems from outside India, he added.

"NIC-CA has been asked to revamp their infrastructure from all aspects -- technical, physical and procedural," Prasad said.

Besides, an advisory has been issued to all Certifying Authorities to examine and wherever necessary, strengthen security controls in the infrastructure used for DSCs issuance, the Minister added.

Last month, Google and Microsoft had complained about the unauthorised DSCs issued by NIC-CA.

Google in a blog post had said: "On Wednesday, July 2, we became aware of unauthorised DSCs for several Google domains.

"The certificates were issued by NIC of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities."

Similarly, Microsoft said it is aware of improperly issued SSL certificates that could be used in attempts to spoof content or perform phishing attacks.

"SSL certificates were improperly issued by NIC, which operates subordinate CAs under root CAs operated by Government of India's CCA, which are CAs present in the Trusted Root Certification Authorities Store," it added.

14:41 Share:

CoSign by ARX Receives Common Criteria EAL4+ Certification

The certification makes CoSign the first remote signing solution to be fully compliant with the new eIDAS regulation

LONDON, Jul 21, 2014 (BUSINESS WIRE) -- ARX , the global leader in digital signature solutions, is proud to announce that CoSign, its flagship product, has received Common Criteria EAL4+ certification from OCSI, the Italian information security certification organization, after undergoing rigorous testing of hardware and software security at the IMQ laboratory.

With this new certification, CoSign has been officially recognized as a highly secure, centrally managed remote signing device that fully complies with the Italian signature law that will be enforced starting next month. This certification also means that CoSign complies with the principles outlined in the European Union’s recently enacted ‘Electronic Identification and Trust Services for Electronic Transactions in the Internal Market’ (eIDAS) regulation.

Declared the strongest digital signature on the market by Forrester Research, CoSign offers a unique combination of powerful security features: The signature keys are housed in a fully secure Hardware Security Module (HSM) appliance, which also performs the remote signing process, ensuring that each user maintains sole control of his or her keys. In addition, two-factor authentication provides the benefit of an additional layer of security as required by the new eIDAS regulation.

Organizations that previously used smartcards can easily transition to the CoSign remote signing solution, enabling signers across the EU to digitally sign their documents while using the latest technologies. CoSign also allows Trusted Service Providers to offer new services to their customers, such as remote signing capabilities and qualified signatures on a variety of platforms including mobile phones and tablets. The easy-to-deploy CoSign solution will also enable organizations to easily establish internal private TSPs that can generate their own remote qualified signatures.

“We are proud that CoSign is now Common Criteria EAL4+ certified, opening new opportunities for millions of European businesses. As the first remote signing solution to fully comply with the new European eIDAS Regulation, we look forward to playing a significant role in the European transition to the use of secure remote signing,” said Ezer Farhi, VP of R&D at ARX and a member of the CEN and ESTI standardization committees.

Read more about cosign - http://www.marketwatch.com/story/cosign-by-arx-receives-common-criteria-eal4-certification-2014-07-21

Digital Signature Mart are providing All Types of Digital Signature Certificate such as class 2, class 3, and DGFT, Get Digital Signature Certificate by Digital Signature Mart from Delhi, India.

04:25 Share:

Akhilesh Yadav Launches Scheme to Make Offices Paperless

Lucknow: Uttar Pradesh Chief Minister Akhilesh Yadav on Saturday launched a scheme to make secretariat offices "paperless" by obtaining his digital signature.

"It is an important step aimed at not only increasing efficiency and bring transparency in working of departments, but also to turn the concept of green governance into reality," an official release issued in Lucknow said.

With taking a decision to make IT and Electronics department paperless in the first phase, the Chief Minister obtained his digital signature and approved a departmental file using the same, it said.

Using the e-office application developed by NIC, Mr Yadav directed all divisional commissioners and district magistrates that hurdle should not be faced by the people and students in obtaining various government services like certificates.

The Chief Minister said the government was committed for providing services and information to the people near their doorsteps through electronic delivery system, it said.

After making functioning of the Secretariat paperless, the disposal of files would be quick and it could be tracked immediately, Mr Yadav said.
Read more.. http://www.ndtv.com/article/cities/akhilesh-yadav-launches-scheme-to-make-offices-paperless-553538

Digital Signature Mart offers All India Digital Signature Certificate provider in Delhi at very lowest price.

07:42 Share:

Looking into unauthorised digital signature certificates issue: Govt

The government today said it is looking into the matter raised by tech giants Google and Microsoft which have said that the National Information Center (NIC) has issued unauthorized digital certificates.

The Controller of Certifying Authorities issues licenses and regulates the working of Certifying Authorities, who issue digital certificates for electronic authentication of users.

Digital signature certificate is like an electronic passport that allows a person, computer or organization to securely exchange information over the Internet.

When contacted, Department of Electronics and Information Technology Secretary R.S Sharma told PTI: “We are looking into this issue. Certifying Authority (CA) is taking appropriate steps and is working under the guidance of the CCA.”

In a blog post last week, Google said, “On Wednesday, July 2, we became aware of unauthorized digital signature certificates for several Google domains.

“The digital certificates were issued by NIC of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).”

Similarly, Microsoft said it is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks.

“SSL certificates were improperly issued by NIC, which operates subordinate CAs under root CAs operated by Government of India’s Controller of Certifying Authorities, which are CAs present in the Trusted Root Certification Authorities Store,” it added.

Meanwhile, CCA in a post on its website said: “Due to security reasons 3 CA Certificates issued to NICCA have been suspended and the corresponding CRLs have been updated for this purpose. Further updating will be notified.”

Google said it had alerted NIC, India CCA and Microsoft about the incident and blocked the mis-issued certificates in Chrome with a CRLSet push. “On July 3, India CCA informed us that they revoked all the NIC intermediate certificates and another CRLSet push was performed to include that revocation.”

The US-based firm said India CCA informed it about the results of their investigation on July 8.

“They reported that NIC’s issuance process was compromised and that only four certificates were mis-issued, the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains,” Google added.

Digital certificate provides identifying information, and is forgery resistant and can be verified.

It contains certificate holder’s name, a serial number, expiration dates, a copy of certificate holder’s public key and digital signature of the CA so that a recipient can verify the certificate.

06:11 Share: