A tweet containing an image of a letter from Central Provident Fund Commissioner, Dr. V. P. Joy to CEO of theCommon Services Centre (CSC), Dinesh Tyagi appears to notify of “Data Theft from ICT Infrastructure of Aadhaar Seeding Service for Employees Provident Fund Organization”
EPFO data stolen by hackers exploiting the vulnerabilities prevailing in the website (https://t.co/ohpaCFwomY) : VP Joy, Central Provident Fund Commissioner to MeitY.
Aadhaar case in SC at the last stage, how will the Govt defend this now ? pic.twitter.com/yYQJ3qDiCh
— Arvind Gunasekar (@arvindgunasekar) May 2, 2018
The letter, marked “secret” and not verified so far, references a note from the Intelligence bureau warning of theft of data by hackers by exploiting vulnerabilities on aadhaar.epfoservices.com (currently offline) – specifically, Strut vulnerability and Backdoor Shells.
“The IB has advised to adhere to best practices and guidelines for securing the confidential data, re-emphasizing regular and meaningful audit and vulnerability Assessment and Penetration Testing (CAPT) of the entire System from competent auditors and testers”, the letter says.
The letter says that though the server is hosted at the National Data Centre, the CSC Team manages it remotely and requests the immediate deployment of an expert Technical team to identify and patch the stated vulnerabilities as well as any others on the server and notifies that the servers have been stopped and services discontinued in the interim.
Earlier this year, the UIDAI had refused to renew its registrar agreement with CSC citing corruption and enrollment process violations.
According to CNBC-TV18 reporting “sources”, the services of CSC have been terminated after this incident.
The EPFO has issued a Press release saying that warnings about vulnerability are routine administrative process. “The news is regarding to the services through common service centres and not about EPFO Software or data centre. No confirmed data leakage has been established or observed so far. As a part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks.”
The press release assures that the EPFO has been taking all the necessary precautions and measures to ensure that no data leakage takes place and will continue to be vigilant in the future.
The existence of vulnerabilities is not proof of them being exploited. However, given the importance of the data contained on the server, the IB’s assumption of data theft does not seem unrealistic (or they may have additional information as to the data being stolen that is not clear in this letter). The EPFO press release in the update denies that data theft has been established.
This letter is actually an example of an excellent response to a security breach being reported, from a data security perspective, even if not from a server security perspective. Dr. Joy was alerted to a grave breach that compromised a lot of confidential data, so he made a very good immediate call on securing it – make it inaccessible by stopping the server and immediately alerted the administrators of the server.
The Press Release too is a reassuringly measured response that explains their actions and a reasonable evaluation and promises vigilance. This is a refreshingly informative response, coming from a government organization in comparison with the usual denials, exaggerated claims of safety and targetting of those bringing vulnerabilities to attention.
Sadly, much is to be desired from the CSC’s side of things. This letter has been dated 28th March. Today is the 2nd of May. The service is still offline. It should not normally take a competent team this long to secure a server. The server being insecure itself is not a good sign, as the Strut vulnerabilities, affecting Java based web applications using Apache Struts have been well identified and fixed in some updates there are preventative measures possible and published as well. This is not a zero day vulnerability being exploited, that would catch a web administrator unguarded.
So far, the website has been down for over a month. If the CNBC-TV18 report is correct in that the services of CSC have been terminated by the EPFO, the impact of this on mandatory linking of Aadhaar with Provident Fund is yet to be known.
Penetration testing should be a standard practice for running any secure server, and it is alarming that a non-technical organization has to tell the CEO of the CSC that it needs to be done on a server that has already compromised data. Regardless of the claims of the UIDAI or the government with regard to Aadhaar servers, it is not possible to guarantee the security of any system 100% – a secure system is run by a paranoid admin. It takes regular updates, testing, tweaking configurations and being alert to news of vulnerabilities reported to be reasonably sure of having secured a server against known threats. The unknown threats will still loom and it is difficult to protect from really skilled malicious hackers, but the bulk of hackers will be eliminated as threats through regular and diligent security measures.
This concern had also been raised by the anonymous group of hackers calling themselves “LulzSec India” when they reported a breach on the Income Tax servers – the key observation was that the server was running on outdated software. While they have declined to make details of the breach known till it gets patched (they reported it before announcing it on Twitter), a month later, they have still not revealed the nature of the breach. This is an unacceptably long time to fix vulnerabilities.
“Not the first EPFO leak”
Security researcher Anivar Arvind posted a tweet commenting on this vulnerability:
Let's note it is not the first leak. India's Planning body @NITIAyog created an export option for same EPFO data and placed the entire database on a file server and provided a public URL to non-governmental researchers earlier cc: @Amannama https://t.co/OVzgX95whG
— 𝗔𝗻𝗶𝘃𝗮𝗿 𝗔𝗿𝗮𝘃𝗶𝗻𝗱 (@anivar) May 2, 2018
He was referring to the data from the EPFO being provided to private researchers by the NITI Ayog to conduct an “independent” study on employment generation. The EPFO, in this instance provided the data believing that it was being given to a government entity. It was not intended to be shared with private individuals, as the NITI Ayog did.