Pakistan is well on its path to being a key player in the IT world. Whereas there are many short-comings and serious development required in areas including entrepreneurship, IT infrastructure, university research and development; but the fact remains that Pakistan produces some of the great IT minds and hosts a variety of talented people in the IT field.
More often then not we witness initiatives by the Government and civil service departments, ministries and other public institutions to what they refer as "computerization". Where as I am in complete agreement and a strong supporter of slow and steady progress but as they say, if you want to do something, do it right. This applies very vividly to our state of IT affairs when it comes to non-private (or even some private) initiatives. Databases and IT systems implemented in Government departments and spanning over national issues and data must be dealt with utmost expertise, experience, security and "care". For if they aren’t done so in the right way, they are a cause of great national threat, and / or security crisis and breach. A simple security analysis will reveal that majority of the government-run websites are prone to simple SQL-injection attacks. They dont tackle the basic security patterns let alone handle any planned and complex cyber attack. In addition I fear they all lack serious accountability norms like proper logging, etc.
The IT staff quality, experience, skills and their level of expertise in government institutions is debatable and I wouldn’t comment. My aim here is to re-emphasize that those concerned must acknowledge this factor as of utmost importance to our national security. Considering that we are the center of attention these days, bodies dealing with cyber-security, cyber-warfare, e-crime, digital and computer forensics (if there are any) must be hyper-active and monitor (all of) Pakistan’s cyber-space for possible breaches and not only that they should take immediate practical steps to eradicate such instances and points where a breach can occur. Our bills thus far are to prevent bloggers from defaming a public figure, but have we taken drastic measures to what really matters on the cyber-space?
Case in view
I would quote here a proof-of-concept how one seemingly insignificant and publicly "unacknowledged" threat can cause a grave national security concern. Please note that this proof-of-concept WILL NOT reveal the steps to reproduce it, but rest assure as of the day of writing this article – the loophole still exists and is live. I will be willing to pass-on the details to concerned bodies.
- A database containing Pakistan’s citizen information is live and hosts a major loop-hole. A very trivial and basic security bug that shouldn’t have passed any rudimentary software QA test. Unfortunately is still live to this date and I can confirm that it has been there for atleast over an year now.
- The database is available on the Internet and with a basic "black-box" knowledge can easily be exploited. Data can be pulled on any individual living in Pakistan and is registered. It contains current and previous residential addresses, phone numbers, NIC number, father’s name, individual’s complete name, etc.
- Proof of concept:
Here’s a snapshot (Password protected) of a script that will pull data on an individual given an NIC number (Old / New). Please note the script runs on a restricted loop and hosts a restricted view (obviously, I wouldnt be allowing you the whole database exposure from here!).
Even from this restricted view of database, a brute-force attack or more better a dictionary attack of possible NIC numbers can result in a malicious person getting hold of such private details about each and every individual living in Pakistan. A typical NIC number of 13/14 digits with known grouping on the first 5.
~ (105 – 102) . 107 . 21 possible NIC numbers.
The search space reduce considerably when patterns of NIC numbers are accounted for and little heuristic is applied. With any modern computational setting it would take less then 2 months.
You can reach me [ contact ] if you wish to test the script. Its not open for public.
My question is if this is not a national security issue then what is? And if it is, why has it gone undetected for over an year now? And if it was detected, why hasn’t the threat been eradicated yet? FIA’s NR3C, PakCERT??
Point is if a person like me can find this, anybody can.
With this I will end today’s note that either we shouldn’t take initiatives that we don’t have complete command and expertise over; or if we do, we should do it the right way. Every action has a reaction, and every reaction has consequences.
These types of threats and security vulnerabilities are popping up day by day as our Government departments and institutions put forth their "databases" online as a result of "computerization". Any preying malicious eye can exploit them for their own good. I am quite sure in such an instance we will not even be able to detect that something has happened. Identification and Prevention are better steps here.
I remember a couple of years back some back-end PTCL "telephone application management system" on the web had a basic SQL injection vulnerability that would allow an attacker to access records of new telephone applications. That’s a whole load of personal and verified information about an individual out there for the grab!
However, my objective here is not to highlight any single cyber security incident but my emphasis for this article is to re-iterate that although we are pushing for "computerization" of departments as a mean of progressing forward, we MUST in conjunction to it ensure that proper methods are employed to implement and pursue such initiatives. Specially the security, privacy, confidentiality of data being put online. Or at the very least, we must take care of the common patterns that haunt a seemingly "new" technology.