At this time, when India is reaching the heights in Sensex and GDP and aspiring to be in the developed nations’ list, one thing that really pisses me off is India’s unawareness and disinterest in the Information Security dept., atleast the poorly configured govt. websites reflect this. When I encountered the vulnerability in the server at hosting.bsnl.in ( subdomain of bsnl.in, pointing at another server), I out of curiosity, did vulnerability assessment of some of the Indian govt. websites.
The web applications, OS at servers even the SQL servers are untouched since their first installation. Most of the servers run Windows 2003 ( unpatched or sp1) and flaunt their vulnerability like anything.( No surprise why they get hacked !) Most of the time I could carry the port scan without using -PN parameter ( on nmap).
When I first tried to inform the officials at BSNL regarding the vulnerability, I was set aback by their response. They did not even understand what I was talking about ! It took me sometime to make them understand what I meant.
Some of the govt. websites that gave me admin privileges are :
subdomain at easternrailway.gov.in , rajasthan.gov.in and ofcourse, hosting.bsnl.in ( not accessible now though the server exists)
My conversation (on phone) with an officer at eastern railways :
Me : Hello Sir, is this the DG ?
Officer : Who is this ?
Me: Sir, I want to report a vulnerability in your website.
Officer: what vulnerability, what website ? (he mispronounced “vulnerability“)
Me: Can I talk to the DG ?
Officer: Sir is out for some official work.
Me: okay, please inform him and ask him to check his email.
( I could listen his chatting with his colleagues in bengali I think, he was saying ” Someone is talking about the website“)
Me: Ok thanks…
Anyway, I have informed the web-masters of the respective websites about the vulnerability and as a proof attached the videos of the successful logins. I have preserved the videos demonstrating the hacks and wish to publish them here provided the servers get patched.
It is really annoying when some terrorist organizations hack the websites and leak the confidential data…..
Admins, Wake up Now or get shamelessly hacked every now and then !