Not good news for visitors and information seekers who wish to access data from websites of several departments of the Karnataka government.
Various Karnataka government departmental websites do not have a Secure Sockets Layer (SSL) certificate, which leaves them exposed to hackers to deface websites and steal data, information, and more.
Recently, a report said that the main accused hacker in the Bitcoin-Bribe case in Karnataka—Sriki—had a hard drive, which revealed the Karnataka government’s e-procurement website had been hacked in 2019. “SSL certificate is mostly used when any confidential information is involved. It connects users to a website using a Hypertext Transfer Protocol Secure network (HTTPS). A website which does not have an SSL certificate is prone to a man in the middle attack, which means any one can see what a user is sending to the client,” said Abdeali Bhagat, a website designer based out of Mumbai.
Mukesh Choudhary, Cyber Security expert said, “Many state governments in the country do not audit their websites. This leaves many possible vulnerabilities open for hackers to penetrate and hack the websites. To avoid this, they should audit their departmental websites often.” He explained that the Indian Computer Emergency Response Team (CERT-In), the nodal agency to handle and deal with hacking and cyber-security threats under the Ministry of Electronics and Information Technology (MeitY), performs audits of various governmental websites. “CERT appoints private companies to audit governmental websites through a test. Once the private companies clear the tests, they are eligible to audit the governmental websites and present the Vulnerability Assessment and Penetration Testing (VAPT) Report, which mentions every problem and possible solutions,” he said.
An SSL certificate not only keeps the website secure from hackers but also proves the authenticity of the website.
“If any governmental website does not contain important data regarding government deals or consumer credentials, etc. it is up to the government whether they wish to have an SSL certificate for that website or not. But due to the rise in modern technology and defacement techniques, it is always recommended to have an SSL certificate as it establishes the authenticity and credibility of the website,” said Choudhary.
CERT-In establishes guidelines for auditing governmental websites. Two of the guidelines focus on the security factor of the server of the website.
Explaining the security testing of the servers, Choudhary said that many times, governmental websites are hosted on the same server. If one website is hacked, all the other websites become vulnerable, even if they have an SSL certificate.
“An isolated server is the best option to host a governmental website. The chances of hacking this server are very low,” he added.
According to Zone-h.net, a security news and cybercrime archive website which maintains a database of all the hacks performed and reported to it, in 2021 alone, around 44 websites with the domain “gov.in” were either fully, partially or mass defaced.
“Many of the websites of the Karnataka government are old and some of them are maintained by National Information Centre (NIC). Some are redundant as well,” said Sri. M.R. Satish, Project Director, Karnataka State Web Portal.
“Also, we have asked all the departments to switch over to our model template uniform resource locator (URLs) ending with ‘karnataka.gov.in.’ It’s in process,” he added.
Choudhary said that the domain of the website is not that important. “Many a time, a website with a governmental allotted domain shows that it has an SSL certificate but becomes the victim of a hack. This is because the SSL certificate of the website expires and is not renewed,” Choudhary added.
The National Crime Records Bureau Report 2020 shows that Karnataka ranks first in computer related cybercrime offences. The state recorded over 10,109 cases, around 50 percent of all computer related cybercrime offences in the country.
“India has a toothless cybercrime law and the conviction rate under the Information Technology (IT) Act, 2000 is very low. To get the conviction started, the investigation revolves around different offices and reaches the Forensics lab. Till that time, a hacker an easily hack and delete all the data,” said Mirza Faizan Azad, law consultant at Legal Tree.
While inaugurating the Cybersecurity Awareness Month Program on October 5, 2020, the Minister for Higher Education; IT and BT, Science and Technology; Skill Development, Entrepreneurship and Livelihood, Dr Ashwath Narayan said that the state will soon launch its own cyber-security policy.
“There is no proper management, security structure, and infrastructure in the state to handle cyber-security cases. A strict law, upgraded tools and knowledge is required,” Azad added.