Stricter Email Login Now for Govt Babus Prone To Leaking Passwords
The National Informatics Centre, which provides ICT and e-governance support to the government, has decided to make mandatory additional security measures for ‘gov.in’ emails in a bid to plug the danger of sensitive government communication from being compromised, The Quint has learnt.
The move comes after repeated incidents of government officers’ official email passwords being compromised due to negligence in basic security practices emerged. The negligence ranges from routinely falling for phishing emails to writing down passwords on scraps of paper, senior NIC officials said.
The Quint had reported on 25 January that over 3,000 emails and passwords of various government and public-sector enterprises were found in databases of leaked IDs on the deep web and the dark web. The NIC, however, has denied any evidence of passwords having been compromised.
A senior official at NIC said they checked the usernames and passwords and the same do not appear to be compromised.
NIC has confirmed that existing measures such as 2-Factor Authentication (2FA) and geo-fencing of emails, which till now were voluntary will be made mandatory to prevent unauthorised access to highly sensitive government emails.
“Government email accounts contain highly sensitive information as well as confidential documents like tenders,” said a senior official at NIC.
“Despite several cautionary instructions, we have often seen negligence among officials. The last mile, which is the ‘gov.in’ email user, is often the weakest in the security chain,” the officer added.
How Passwords Are Compromised
The National Informatics Centre operates and maintains three National Data Centers –in New Delhi, Pune and Hyderabad – and 31 State Data Centers. A total of 1, 076 virtual domains, all gov.in email IDs, are hosted on servers maintained by NIC.
Officials say despite the measures that have been taken, the last mile security, ie, security practiced by those with gov.in emails, has often proved to be the chink in the security armour.
Passwords Kept in the Open/Shared with Staff
NIC officials say that among the most common forms of negligence they have observed is gov.in email passwords being shared with staff members or even being noted down on sticky notes which are openly displayed. “This appears to be a common practice for designation based email IDs,” the official said.
Falling for Dubious Links
Clicking on phishing links disguised as genuine emails has led to several passwords of official email IDs being compromised.
A downside of good download speed in government offices is the indiscriminate downloading of files and attachments even if they appear suspicious, say NIC officials. “Since there is no network latency and files download easily, it has been observed that many, especially mid-level employees download everything, including malicious files,” an official explained.
Outdated Operating System
A major reason for passwords being compromised is the vulnerability of systems running on outdated operating systems. In May 2017, in one of the largest ransomware attacks in history, millions of computers across 150 countries were affected by WannaCry ransomware. It targeted computers running on outdated versions of Microsoft operating systems. The ransomware encrypted files and asked for payment in bitcoin to decrypt the same.
2-Factor Authentication to Be Mandatory
Senior officials at NIC told The Quint that in view of the negligent practices seen among public-sector and government officials, previously voluntary provisions like 2-Factor Authentication will be made mandatory for all in order to log in.
“We have raised the issue in writing with the Ministry of Electronics & IT. While common best practices like 2-Factor Authentication are already available and voluntary for those using gov.in emails, we are now moving to make it mandatory to log into accounts,” said a senior official.
A Government ‘KAVACH’
Kavach, available as an app, is a secure 2-Factor Authentication platform, implemented for government email service, including gov.in email IDs. It’s similar to 2-Factor Authentication in Gmail – when a user attempts to log in to their email account using the correct credentials, they receive an alert in the Kavach app.
NIC officials added that the E-mail Policy of Government of India, drafted in 2014, will be updated to reflect the changes in security protocol.
Moreover, the Ministry had also published a ‘Password Policy’ which clearly specifies measures to create strong passwords. However, leaked emails on the deep web showed that most of them were too simple to be effective. Instructions in the policy include:
- The password shall not be a word found in a dictionary (English or foreign).
- The password shall not be a derivative of the user ID, eg 123.
- The password shall not be a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
Users can allow or block access to their email accounts from any specific country through a self-service portal. In simple words, an employee will be able to log in only from a location identified as the base. When they travel, employees will need to inform the NIC about the duration of the same so that geo-fencing can be disabled for that period.
Centralisation of Security Needed
A senior officer told The Quint that larger systemic issues need to be addressed to ensure sustained security of government communications. Identifying disciplinary issues as a core aspect of improving security, the officer listed three reasons for poor security.
“Computer systems across government and public-sector offices have been bought at different times, many of them outdated and vulnerable. This is either due to ignorance, or budget issues or because despite availability of budget, departments are not bothered,” he said
“All departments are allotted an IT budget but seriousness is an issue. Centralisation of security of all government departments will not only ensure better implementation and monitoring but also bring down costs significantly,” he added.