Cracked by Anonymous India

Dec 17, 2012 - Ojas Sarup

So I typed in BSNL’s home page address in the evening on Friday, and was met with the routinely occasional “Oops!” message Chrome throws at me when I occasionally visit the BSNL home page, telling me that it couldn’t find the page I wished to visit.

So I tried through Google (maybe I was typing the wrong address?) but that failed and I noticed search results popping up informing me that Anonymous India had cracked the BSNL website and leaked the passwords of their databases (cracking is breaking computer security systems without consent).
So this is what happened in case you missed it.
Anonymous (a “hacktivist” group that takes responsibility for online protests, involving taking down Government websites, etc.) had cracked Union Minister Kapil Sibal’s official website a few days earlier in protest over his comments regarding the apparently misguided arrest of two women via Section 66A of the IT Act. This time, they extended the protest and defaced BSNL’s site, and cracked a file (or files) that had passwords and usernames required to login to BSNL’s regional databases.
They (@opindia_revenge) posted at least some of the information on Pastebin, and announced it via Twitter:
“BSNL Websites were hacked, and passwords and database were leaked on pastebin with Anonymous India’s demands of withdrawal of Sec 66A of IT Act.”
The site is back up today (Saturday), so I better visit it before someone throws it back offline. Oh, I kid BSNL! People don’t even need to try it, because they could just keep guessing the passwords for the databases!
Why? Because BSNL stores them in plain text. Seriously, I’m not joking. What Anonymous posted on Pastebin was disturbing not so much because they managed to do it (which is depressing in itself), but because it was not encrypted. Simple plaintext. So I know the databases are MySQL databases, that at least one of them doesn’t use SSH and only plain HTTP, and that most of the passwords are incredibly insecure, like “Password123,” “password,” “vpt123” and “meter.” Note that I have negligible experience with IT security or MySQL, yet I’ve understood all of this.
Although Anonymous claimed that they’ve cracked 250 databases, whatever information they’ve posted online contained about 10 or 15 databases from various states. I don’t know what these contained, as my inexperienced attempts to connect to the databases failed via standalone MySQL clients, and it’s possible that they had taken them offline (I hope that they did that).
Just as a note to Anonymous, if these databases contained sensitive private information of thousands of ordinary people, I can't be sure if it's a great idea to leak stuff like this, though at least it puts a spotlight on the lack of secure IT practices employed by the government.
And the government should hire me as the IT security adviser, because clearly the current ones aren't any better than underqualified little me.
So will this help the anti-Section 66A protest? I'm not sure, but I guess it's another brick in the wall.

Post new comment

<form action="/comment/reply/215937" accept-charset="UTF-8" method="post" id="comment-form"> <div><div class="form-item" id="edit-name-wrapper"> <label for="edit-name">Your name: <span class="form-required" title="This field is required.">*</span></label> <input type="text" maxlength="60" name="name" id="edit-name" size="30" value="Reader" class="form-text required" /> </div> <div class="form-item" id="edit-mail-wrapper"> <label for="edit-mail">E-Mail Address: <span class="form-required" title="This field is required.">*</span></label> <input type="text" maxlength="64" name="mail" id="edit-mail" size="30" value="" class="form-text required" /> <div class="description">The content of this field is kept private and will not be shown publicly.</div> </div> <div class="form-item" id="edit-comment-wrapper"> <label for="edit-comment">Comment: <span class="form-required" title="This field is required.">*</span></label> <textarea cols="60" rows="15" name="comment" id="edit-comment" class="form-textarea resizable required"></textarea> </div> <fieldset class=" collapsible collapsed"><legend>Input format</legend><div class="form-item" id="edit-format-1-wrapper"> <label class="option" for="edit-format-1"><input type="radio" id="edit-format-1" name="format" value="1" class="form-radio" /> Filtered HTML</label> <div class="description"><ul class="tips"><li>Web page addresses and e-mail addresses turn into links automatically.</li><li>Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd></li><li>Lines and paragraphs break automatically.</li></ul></div> </div> <div class="form-item" id="edit-format-2-wrapper"> <label class="option" for="edit-format-2"><input type="radio" id="edit-format-2" name="format" value="2" checked="checked" class="form-radio" /> Full HTML</label> <div class="description"><ul class="tips"><li>Web page addresses and e-mail addresses turn into links automatically.</li><li>Lines and paragraphs break automatically.</li></ul></div> </div> </fieldset> <input type="hidden" name="form_build_id" id="form-0f2c23784cdc2822c33e879fa692e873" value="form-0f2c23784cdc2822c33e879fa692e873" /> <input type="hidden" name="form_id" id="edit-comment-form" value="comment_form" /> <fieldset class="captcha"><legend>CAPTCHA</legend><div class="description">This question is for testing whether you are a human visitor and to prevent automated spam submissions.</div><input type="hidden" name="captcha_sid" id="edit-captcha-sid" value="87993455" /> <input type="hidden" name="captcha_response" id="edit-captcha-response" value="NLPCaptcha" /> <div class="form-item"> <div id="nlpcaptcha_ajax_api_container"><script type="text/javascript"> var NLPOptions = {key:'c4823cf77a2526b0fba265e2af75c1b5'};</script><script type="text/javascript" src="http://call.nlpcaptcha.in/js/captcha.js" ></script></div> </div> </fieldset> <span class="btn-left"><span class="btn-right"><input type="submit" name="op" id="edit-submit" value="Save" class="form-submit" /></span></span> </div></form>