Security breach in National Informatics Centre allowed hackers to issue fake digital Signature certificates

A major security breach of the NIC, which extends to all senior emails and websites of all central government departments, allows hackers to issue several fraudulent digital certificates, increasing global concerns about the practices of network security in India.

The NIC is one of the select few authorized entities can issue digital certificates and signatures that are at the core of secure Internet transactions. On 25 June, the hackers were able to break their safety and access to all the data in your home directory that hosts your most sensitive data. They published several false digital certificates that was not detected for several days.

Digital certificates help authenticate users and allow them to securely connect into emails, make payments and perform sensitive transactions. A fake certificate can compromise critical data such as passwords, and personal information of Internet users, as well as cause massive financial fraud if not detected.

With NIC not detect this failure, the matter would have been buried, but the alarms raised by global IT majors such as Google, Bing and Yahoo. Most Internet traffic passes through their browsers and search engines and a false certificate undetected could have resulted in major fraud and loss of sensitive data.

Since then, the NIC has tried to downplay the incident. "Our site was attacked from outside India. Auditors investigated between 4 and 7 July and urgent measures have been taken to mitigate the vulnerabilities," NIC CEO Ajay Kumar told Hindustan Times.

But on July 25, Matt Thomlinson of Microsoft, VP of security services wrote to the authorities controller TA Khan and RS Sharma, secretary in the technology department, certifying that expresses its deep concern about the lack of cooperation in addressing the violation of security. The ministry has also submitted misleading information to Parliament last week when questions were raised about the incident.

"They have been disappointed with the reluctance of your organization to share with us the research report," Thomlinson wrote.

"The current situation poses risks to consumers and businesses around the world ... (and) the attacker can alter based network audit logs and erase the evidence of the certificates being issued."

According Thomlinson, failure "raises serious concerns about the reliability" of the entire certification process safety in India.

"Microsoft supports an open, competitive certification authorities (CA) market. Each CA included in the trusted root store of Windows must meet certain requirements. Constantly monitor the threat landscape and respond when necessary to help protect our global customers, "he told HT.

Microsoft and Google were also upset with the government's investigation of India. IAS said on July 7 that there were only four false certificates. But two days later, Google found a fifth false certificate issued by the NIC. An internal investigation also revealed that the hacker had managed to break into the home directory of the root of the NIC to access all your data.

In a curious move that the government has restored the authority of the NIC to issue certificates, but also forbade them to do so for at least six months. Companies like Google and Microsoft have refused to accept certificates NIC and have stated many government websites certified by them as unsafe. Ironically, many key Indian websites and the website of the tax authority to enable the transfer of sensitive data are now dependent on foreign companies to certify their safety.

Apply Online Digital Signature Certificates through 'Digital Signature Mart ' Digital Signature Certificate in Delhi, India at very competative rates.

15:15 Share:

Controller of Certifying Authorities suspended three digital certificates

NEW DELHI: The Controller of Certifying Authorities (CCA) suspended three digital certificates issued by the National Informatics Centre Certifying Authority to prevent their misuse, Parliament was informed.

Digital Signature Certificates (DSCs) are issued by Certifying Authorities for electronic authentication of users, Communication and IT Minister Ravi Shankar Prasad told Lok Sabha.

The CCA, which is appointed under the Information Technology Act, 2000, licences Certifying Authorities to issue DSC.

DSCs are issued under Sub Section 4 of Section 35 of the IT Act and they facilitate e-commerce and e-filing of documents through authentication of users and their transactions, he added.

"Three certificates issued to NIC-CA were suspended by CCA. The unauthorised certificates that had been issued, were revoked by the NIC-CA. This was done to prevent misuse," Prasad said.

The incident has been investigated and the findings suggest that the perpetrators made an electronic intrusion in to the CA systems from outside India, he added.

"NIC-CA has been asked to revamp their infrastructure from all aspects -- technical, physical and procedural," Prasad said.

Besides, an advisory has been issued to all Certifying Authorities to examine and wherever necessary, strengthen security controls in the infrastructure used for DSCs issuance, the Minister added.

Last month, Google and Microsoft had complained about the unauthorised DSCs issued by NIC-CA.

Google in a blog post had said: "On Wednesday, July 2, we became aware of unauthorised DSCs for several Google domains.

"The certificates were issued by NIC of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities."

Similarly, Microsoft said it is aware of improperly issued SSL certificates that could be used in attempts to spoof content or perform phishing attacks.

"SSL certificates were improperly issued by NIC, which operates subordinate CAs under root CAs operated by Government of India's CCA, which are CAs present in the Trusted Root Certification Authorities Store," it added.

14:41 Share: