A few harmless keystrokes is all it takes to extract citizens’ private data, and lay bare sensitive personal information from the ‘darkest’ corners of the internet.
Hidden away in a folder – on one of the thousands of anonymous websites that constitute the Dark net – are the names, phone numbers, addresses, passport numbers and dates of birth of over 350 Bengaluru citizens, complete with BangaloreOne transaction numbers, email addresses and the jurisdictional police stations.
This discovery was made earlier this year by a Bengaluru-based private cyber security company, two years after the websites of the Bengaluru City Police and Karnataka State Police were hacked in 2016. While the hacking of the Bengaluru city police website led to citizens’ private data ending up on the Dark net, from where it is nearly impossible to remove, the KSP hacking resulted in email addresses, passwords and other account information of cops ending up in the public domain.
Frequented primarily by those who wish to remain undetected, data on the Dark net is up for grabs to the highest bidder. If misuse is the intent, criminals and hackers can access the data and use it to create pseudo identities to make fraudulent transactions in banned goods, without assuming any of the risks.
It Could All Have Been Avoided
In May 2015, at least six months before the hacks occurred, Gagai Jain, the CEO and founder of Cybersafe, that discovered the data online this year, had sent a video to senior police officials, highlighting the vulnerability of the Bengaluru city police website to a common form of hacking. Prima facie, nothing was done to resolve it.
Being only a Bachelor of Computer Application (BCA) at the time, he had been perusing the internet to test the vulnerabilities of various portals in the course of getting certified as an ethical hacker, and happened to chance upon the BCP website, and found it vulnerable to SQL injection. This is a common hacking technique whereby an attacker can infiltrate a web application’s database server by feeding malicious code through web page inputs.
Cops Confirm Prior Knowledge
Confirming the advance intimation, a former top cop, now no longer affiliated with any branch of police in the state, told The Quint:
“Some inputs were received regarding the vulnerability to SQL injection and loopholes in the website. These were in turn conveyed to the contractor managing the website to take appropriate remedial measures.”
As we know, data from the site was leaked the following year.
When such sensitive data is involved, it becomes the duty of law enforcement to not only safeguard the people but also their identity. While collecting such large amounts of personal data, it is imperative for public institutions to also implement a data security mechanism.
How the Leak was Discovered
Cybersafe, a consulting firm employed by several state governments for identifying potential threats and vulnerabilities, had been tracking the internet to detect any information regarding terrorist activity and Jihadist website engagement within the country, earlier in May.
A basic search – of both the universally used Clear net, as well its more notorious underbelly, the Dark web – using keywords like Karnataka, Bengaluru etc led to both findings. While only a certain amount of data has been hosted on both portals, the scope of information that could have been hacked and stored elsewhere, remains infinite.
Jain explained that by gaining access to the portal and server of the city police, the hackers would also gain access to all the data stored on the database, collected by the police for various purposes.
“Once the website vulnerability to SQLi has been detected, it is possible to clone and interact with the entire database through the user’s own browser using another open source tool. Basically, this will give the hacker access to all information stored on the database. In the case of Bengaluru city police website, we also found that information about the logins and passwords of various police stations, verification details of domestic workers, information collected by traffic wardens etc, was within reach. Almost 90 percent of all government websites are vulnerable to SQL injection,” he said.
Dangers of the Dark Net
In the wrong hands, the personal information of citizens can be used to open bank accounts, make malicious transactions, for impersonation, identity theft and other illegal activities. Worryingly, it is almost impossible to have data taken down from the Dark web, where this information is still being hosted.
The Dark web is a collection of thousands of websites that cannot be accessed through normal browsers used by the average person. It uses various tools to hide IP addresses, and is notorious for being used for prostitution, drug peddling, purchase of arms, counterfeit documents and other information, without being detected.
Anonymous websites, that are not always online and accessible, make it harder to track down the true perpetrator. Transactions are conducted with nameless, faceless strangers through electronic currency such as Bitcoin.
Even Storing Personal Email Addresses Risky
Information hosted on the Clear net, however, is far easier to deal with. Law enforcement agencies need to furnish a letter from the government claiming that personal identifiable information (PII) was being hosted on the site and that it needs to be taken down.
According to Jain, the KSP site was being hosted on Joomla!, a free and open source content management system, used for publishing web content.
According to Jain, “There were no plug-ins to detect breaches. Using Google Dorks, which can be used to find vulnerabilities and access hidden information, it is easy to hack and store information on the Clearnet.”
“Typing in relevant keywords can reveal where the information is being hosted. It is risky for government agencies and other departments as well to host even the email addresses of personal accounts as they can easily be misused using email spoofers and IP address spoofers, which can make it look like an email was sent from a particular web account and a specific IP address,” said Jain.
Cops Ill-Equipped to Handle Data Breaches?
A senior official working with cybercrime in the Criminal Investigation Department, when asked about the leaked KSP data that’s still online, reacted with ignorance by questioning how moving information from one public portal to another constituted a hack.
“What is wrong if information is taken from one public portal and hosted on another, does that qualify as a hack?”
When The Quint reporter clarified that the information was being hosted on Siph0n, a site for dumping leaked information, and that it contained IP addresses and passwords as well, he admitted that he did not have total information regarding the nature of the hacking, and that no complaint had been lodged with the CID.
An official from the state intelligence bureau said while he couldn’t comment on the nature of the hacks or the extent of the investigation, the standard operating procedure was to intimate senior officials on the detection of a possible attack.
“We have only started receiving training in network hacking and Darknet usage for the last few weeks. It is a three week training course for which we picked officers with pre-requisite knowledge and experience in working cyber crime cases. We understand that such training is the only way to crack cases involving the Darknet,” he said.
Despite repeated attempts, officers from the city’s cyber crime wing were unavailable for comment.
Citizens Register Shock, Confusion
When The Quint reached to some of the people whose private information has been compromised, the first reaction was disbelief followed with a slew of questions.
A software engineer and resident of Malleshwaram, north west Bengaluru said, “I don’t know how to react. What is it that I can do, what options do I have? If their own website is hacked, what is the use of complaining to them?”
An LIC agent who was also a victim of his data being compromised confessed his total helplessness. “What can I do? I thought Bengaluru would be safer than other metro cities. I’m concerned but have no idea whom to take this to. I’ve no idea about technology or computers either. How much risk am I in now?”
Draft Bill Doesn’t Mandate Notifying Data Breaches
While lawyers and experts have already decried the validity and effect of the Draft Personal Data Protection Bill, 2018, there is one clause in particular that absolves authorities collecting information of even reporting such breaches to those who information has been compromised.
Clause 5 of the Personal Data Breach section of the Bill, states that is up to the judgement of the authority whose site has been hacked to decide whether or not to inform those, whose privacy has been violated.
S Prasanna, a Supreme Court advocate who has argued in the Aadhaar case, said the problematic clause followed the overall principles of nationalisation of personal data that dictate the Bill.
“Nationalisation of personal data punctuates every clause of the Bill. The authority doesn’t have to inform because they are collecting the information, they have authority over the information to monetise and use as a resource. However, it also misrepresents the history of the legislation,” Prasanna said, adding:
“The entire idea of privacy came about only in the context of Aadhaar, where the government was the only authority, the actions of which had to be scrutinised. It arose from the consciousness that the government could be abusing its authority. Now, the Bill is cleanly painting the government as the good guys and private firms as the bad guys, whereas it originated from the opposite sentiment.”
Evolution of Operating Procedure Not at Pace With Digitisation
Independent security researcher Srinivas Kodali said almost none of the police departments across the country followed any basic security protocol when it came to collecting and securing public information. Considering the amount of surveillance they are required to do, it also empowers them to collect large amounts of data for various purposes.
“Many of the police departments do have cyber crime divisions, but they are mostly toothless. They can at most identify the IP address from where the threat came to identify the location of the perpetrator. They are mainly focused on crimes involving the loss of money, or more important murder charges, but basic data privacy is often left by the wayside. The increased impetus on digitisation has not been matched with a corresponding evolution of the operating protocol,” he said.
Kodali also pointed out that while there was a lack of importance being paid to issues of data theft and violation of privacy, there was also a lack of capacity and technical skill.
“Policing needs structural reforms. This is not the first time that the Bengaluru city police has failed to safeguard data. In 2015, the police made 13,000 call data records available for a hackathon. There was no response to our written complaint. When it comes to privacy and security, there is disproportionate power in the hands of the cops by allowing them to collect sensitive data. When they are unable to secure it, the authority over such data is passed on to criminals,” he said.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)