Thursday, April 04, 2013

NIA’s Cyber Blunder, Uses Gmail To Get Info On Hyderabad Blasts

A recent advertisement in national dailies by the National Investigation Agency (NIA) has sparked off concerns about the professionalism of the agency’s intelligence gathering mechanisms. In the advertisement, the NIA had announced a reward of Rs 10 lakh for information on the 21 February Hyderabad blasts. 

In addition to the landline phone number and postal address of its Hyderabad branch, the agency has given a gmail id (dilsukhnagartwinblasts@gmail.com) on which people can send information/ leads that will help apprehend those responsible for the blasts.

Experts say that receiving such crucial information on the server of a private company (Google) can be a threat to national security.

In the absence of uniform email ids provided by the national informatics centre (NIC), it is a common practice for government departments to exchange information on servers of private companies. Add to this, the fact that it is actually easier to compromise an NIC server than a gmail server.

But that cannot be a reason for a premier investigating agency such as the NIA to use the server of a private company, said Jiten Jain, cyber security analyst and co-founder, The Hacker’s Conference.

“Though it cannot be denied that Gmail servers are more secure and trusted than NIC servers to defend against any hacking attempt, under no circumstances can it be expected that the national investigation agency of a country will use the email servers of private company based in a foreign country. The government must use its own secure email servers and if NIC cannot provide a secure email server then I think alarm bells are ringing,” said Jain.

A major issue with authorities like the NIA using web based mail clients like Gmail, is that the authorities in the United States, where Gmail is headquartered, can legally access the information on the server without the government of India even knowing about it..

“The US authorities can access any information put on the Gmail server. They don’t need a court warrant to access that information,” said Prashant Mali, a Mumbai based lawyer and cyber security expert. “It is like saying that since our own servers are not secure, let’s make America privy to all our information,” he added.

The controversial Cyber Intelligence Sharing and Protection Act (CISPA), which was reintroduced to the US House in February 2013, makes the exchange of electronic information between Internet service providers and US government possible.

“The bill is written broadly enough to permit your communications service providers to identify, obtain, and share your emails and text messages with the government,” noted the Electronic Frontier Foundation (EFF), a US based digital rights body.

“Companies would also be immune from both civil and criminal liability for any action, including but not limited to violating a user’s privacy, as long as the company used the powers granted by CISPA in good faith. The immunity even extends to decisions made based on any information directly pertaining to a security threat. The consequences of such a clause are far-reaching,” said EFF referring to a CISPA clause that allows companies to use cyber security systems to identify and obtain cyber threat information to combat a threat.

Another serious implication of the NIA using a gmail id, that too with an arbitrary username, is that anyone can create a fake email id and ask for information on the pretence that they are an official from a probing agency.

In April 2012, Bihar police arrested one person accused of creating a fake website for the Patna High Court. “The fake website had a link to a webpage which invited applications for recruitment in Group D posts,” reported The Telegraph.

A fake website for the Bombay High Court also came to light in May, 2012, after which the Mumbai police swung into action to take it offline, as per this news report in DNA.

Commander Mukesh Saini (Retd), former national information security coordinator, government of India, said, “This message may be from the real NIA but anyone can forge a similar message to gather unauthorised information or issue fake notice to be responded to under fake authority. Hence if  a ‘nic.in’ account is not used, there is no assurance of real authority.”

The NIA is yet to respond to an email query sent by Firstpost on this issue.

This goof up by the investigation agency comes at a time when the country has witnessed an upsurge in the number of cyber assaults, targeting both government and private websites. Over 270 government websites were hacked last year (till July), as per a written reply given by Minister of State for Communications and IT Sachin Pilot to the Parliament.

In total, more than 14,000 websites were hacked in 2012 (till October) as compared to 9180 sites compromised in the year 2009, according to data maintained by Indian Computer Emergency Response Team (CERT-In), national nodal agency for responding to computer security incidents, functioning under the Ministry of Communications & Information Technology.

No comments: