Indian Govt. Websites are damn hackable

At this time, when India is  reaching the heights in  Sensex and GDP and aspiring to be in the developed nations’ list, one thing that really pisses me off is India’s unawareness and disinterest in the Information Security dept., atleast the poorly configured govt. websites reflect this. When I encountered the vulnerability in the server at hosting.bsnl.in ( subdomain of bsnl.in, pointing at another server), I out of curiosity, did vulnerability assessment of some of the Indian govt. websites.

The web applications, OS at servers even  the SQL servers are untouched since their first installation. Most of the servers run Windows 2003 ( unpatched or sp1) and flaunt their vulnerability like anything.( No surprise why they get hacked !)     Most of the time I could carry the port scan without using   -PN parameter ( on nmap).

When I first tried to inform the officials at BSNL regarding the vulnerability, I was set aback by their response. They did not even understand what I was talking about ! It took me sometime to make them understand what I meant.

Some of the  govt.  websites  that gave me admin privileges are :

subdomain at          easternrailway.gov.in , rajasthan.gov.in and ofcourse,       hosting.bsnl.in ( not accessible now though the server exists)

My conversation (on phone) with an officer at eastern railways :

———————————————————————————————————————————————————————————————————————————————————-

Me :   Hello Sir, is this  the DG ?

OfficerWho is this ?

Me: Sir, I want to report a vulnerability in your website.

Officer:   what vulnerability, what website ? (he mispronounced “vulnerability“)

Me: Can I talk to the DG ?

Officer: Sir is out for some official work.

Meokay, please inform him and ask him to check his email.

( I could listen his chatting with his colleagues in bengali I think, he was saying ” Someone is talking about the website“)

Me: Ok thanks…

————————————————————————————————————————————————————————————————————————————————————————

Anyway, I have informed the  web-masters of the respective websites about the vulnerability and as a proof attached the videos of the successful loginsI have preserved the videos demonstrating the hacks and wish to publish them here provided the servers get patched.

It is  really annoying when some terrorist organizations hack the websites and leak the confidential data…..

Admins, Wake up Now or get shamelessly hacked every now and then !

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s