A cyber security company Seqrite, along with its partner seQtree on September 29 discovered a possible breach at India's National Internet Registry and notified it to the Indian government. The company in their blog said that they discovered about the breach via an advertisement that the hackers had apparently had put up as – “access to the servers and database dump of an unspecified Internet Registry” on a darknet platform. Upon further research and interacting with the seller, the team confirmed that the breach was legitimate and the unspecified registry was IRINN when they discovered critical data of some of the most important and high-profile organizations of India.
Indian Registry for Internet Names and Numbers (IRINN) provides allocation and registration services of IP addresses (the internet address used by devices to reach other devices on the internet) and Autonomous System numbers. It comes under NIXI (National Internet Exchange of India) which “is the neutral meeting point of the ISPs in India with the primary objective being the facilitation of exchange of domestic Internet traffic between peering ISP members.” – reads their website.
The dealer, during a conversation with the security team which was posing as an interested buyer, said “In client Database you can get username, email ids, passwords, organisation name, invoices/billing documents, and few more important fields. You can also control IP range of respective organisation. You can entirely shut down that organisation.
“Disrupting the internet is one small part of the real risks if the data falls into wrong hands. If exploited, a malicious user could infect even the most trusted and secured websites & servers to display real looking, backdoored pages and steal critical information of hundreds of millions of Indians,” said Ankush Johar, Director of BugsBounty.com – A crowd-sourced security platform for ethical hackers and organisations.
“This is a big wakeup call for the government of India suggesting that the present security mechanisms might not be enough to safeguard the citizens of the country,” he added.
“Learning from other governments overseas might do the job for India too. It's time to crowdsource the security of such critical applications because it's simply better to have ten thousand ethical hackers to verify the security instead of a few hundred security analysts and all this can be done via bug bounty programs that allow efficient utilization of ethical hackers in India. Even The US Army and The US Navy have successfully conducted bug bounty programs in the past, now it's time for Indian organisations to open up to crowd-sourced security”
