Tuesday, September 11, 2018

UIDAI base software hack, ID database agreement, experts confirm

UIDAI base software hack, ID database agreement, experts confirm
UIDAI base software hack, ID database agreement, experts confirm

New Delhi- The authenticity of the data stored in the controversial base identification database of India, which includes biometrics and personal information of more than 1 billion Indians, has been compromised by a software patch to be used to nominate new base users. Disables important security features of the software. Patch-free is available for free for Rs 2,500 (about $ 35) - allows unauthorized individuals to generate Aadhaar numbers anywhere in the world, and is still in widespread use. There is a significant impact on national security at this time when the Government of India has demanded the formation of a golden standard for citizen identity, and it is mandatory for everything from using mobile phones to reach bank account.
There is a bundle of code used to replace the functionality of a patch software program. Companies often use patches for minor updates for existing programs, but in these cases, a vulnerability can be used and also used for damages.
• The patch allows the user to bypass important security features such as biometric authentication of the enrollment operators to generate an unauthorized base number.
• Patch Nomination Software's built-in GPS security feature (used to identify the physical location of each enrollment center) means, which means that anywhere in the world - say, Beijing, Karachi or Kabul - Nominated users You can use the software to do this.
• Patch reduces the sensitivity of the enrollment software's iris-recognition system, which makes it easy to spoil the software with the photograph of a registered operator, rather than requiring the operator to be present personally.
Experts advised that the vulnerability base is internal to the technical options introduced at the beginning of the program, which means that a change in the basic structure of the base will be required to correct it and other future threats.
Gustaf Bjorkston, the chief technologist at the Global Technology Policy and Advocacy Group, Access Now, said, "The person who created the patch was very motivated to compromise the base." And one of the specialists analyzing the patch said.
Bjorksten said, "Maybe many individuals and institutions, criminals, political, domestic and foreign, who will gain substantial benefits from this agreement of the basis for investing in making patch worthwhile." "To have no hope of securing the base, the system design must be changed by default."
Bangalore-based cybersecurity analyst and software developer Anand Venkatanarayanan shared his conclusions with the officials of NCIIPC government, said that patches were assembled by preparing code from earlier versions of the base enrollment software - in which fewer security features on new versions of the software Were there
NCIIPC, or the National Critical Information Infrastructure Conservation Center, is the nodal agency responsible for ground safety.
Dan Wallach, professor of computer science at Rice University in Houston, Texas, and the findings of Venkataranayanan by electrical and computer engineering were confirmed.
"Looking at the report presented by patch code and pleasure, I feel very comfortable saying that the report is correct, and it can allow somebody to stop security measures and build new entries in the base software. It is very viable, And looks like something that would be possible for the engineer, "said Walch.
A series of practical elections
The origin of the present hack is contained in the decision made in 2010, so that private agency can nominate users in the base system to accelerate enrollment. In that year, Bangalore-based company Mindri won a contract to develop an official, standardized enrollment software named Nomination Client Multi-Platform (ECMP) - which will be installed on thousands of computers created by these private operators.
In addition to the private enrollment agencies, UIDAI also signed the nomination agreement with "General Services Center" - village level computer kiosks, which help citizens reach normal e-governance services such as pension, student scholarship etc. Until February 2018, these centers were responsible for the nomination of 180 million Indians
Cybersecurity expert Bjorksten said, "This decision to install software on each nomination computer," is called to run important components of the base in the hands of the system's enemies ".
A more secure option would be a web-based system in which all software will be installed on UIDAI's own server and the nomination operators will have a username and password to access the system.
(There is a useful analogy between Microsoft Word - which is installed on the computer - and web-based Google Docs, which are hosted online by Google, and users simply log on to access the service.)
UIDAI base software hack, ID database agreement, experts confirm

B. Regunath, a software architect who led the team in Mindtree, who worked on the project, said that a web-based enrollment software for the base was not practical at that time because there were very few internet connectivities in many parts of the country.
"People were just cranking the generator to highlight power and enrollment. How can they upload those packets online?" Asked by Regunath, who later moved to a senior technical position in Flipkart.
Regunath said, "We launch and release the first Aadhar card three months after the election," recalling that the publicly announced deadline was launched to meet, without all the software features.
To compensate for thousands of operators scattered throughout the country to handle the effective control of the nomination process, the team of Regunath added security features in the software - the most important thing is that all operators first provide software by providing their own fingerprints Requires logging in or the first UI used to use any Iris scan Had to be registered with the Iaai.
"We added a facility to check if the operator is certified, mediators with the h system have been fixed, we have added a facility to check that enrollment people are running pirated or un-updated versions of Windows Are or not, "said Regunath.
UIDAI also made it mandatory that each computer used for enrollment was linked to the GPS device so that it can be ensured that the nomination has been made within the physical boundaries of the authorized centers.
Even then, by the beginning of 2017, these carefully considered security features were released by an elegant software hack that started circulating among private nomination operators, to register one billion Indians in the base database. Were prepared. The use of this patch was so extensive that a YouTube search for "AMCP Bypass" shows hundreds of videos of private operators who provide step-by-step guidance on how to split UIDAI security protocols.
Security analyst Bjorksten said, "This is a straightforward, business-like, and utilitarian hack." "After checking the code thoroughly, I think the patch is more than one coder's job."