HCL and HP named in unflattering audit of India’s biometric ID system

Same biometric used for different people, no archives, lousy infosec among the issues

India’s Comptroller and Auditor General has published a performance audit of the nation’s Unique Identification Authority and found big IT problems – some attributable to Indian services giant HCL and to HP, but others due to poor decisions by the Authority.

The Authority (UADAI) oversees “Aadhaar” – a twelve-digit ID issued as a national identity token. Aadhaar is essential to access government services but can also be used by third parties – banks and mobile carriers employ it to verify the identity of applicants for new accounts. UADAI arranges for collection of the biometrics needed to create an Aadhaar - ten fingerprints, two iris scans, and a facial photograph – through enrollment agencies and registrars, then provides authentication-as-a-service using Aadhaar numbers.

More than a billion Aadhaar IDs have been issued and over 99 per cent of India adults have enrolled in the scheme.

Aadhaar lacked a data archiving policy

The audit report found plenty of problems with the project, among them around 475,000 Aadhaars with the same biometric data used to describe different people. De-duplication efforts proved so poor that staff reverted to manual processes to address the problem. Many Aadhaar ID cards didn’t work as a result – attempts to authenticate users failed.

Infosec types never tire of pointing out that an entity’s security is only as good as its partners’. Yet UIDAI “did not carry out verification of the infrastructure and technical support” of organisations that sought to join its third-party ecosystem. The audit found that UAIDI was lax in requiring participants to complete security checks – which is problematic because that left the organisation unsure if devices used to capture biometrics conformed to its security requirements.

Whatever devices were used, capture of biometrics was often ineffective and some of the resulting data was unusable. Other biometric data captured but not paired to any person.

Third-party users of Aadhaar-as-a-service were not billed – despite revenue raising being an integral part of UAIDI’s mission.

UAIDAI also lacked a data archiving policy for several years. The audit explains the rudiments of tiered storage and the very good reasons to retire some data and points out that the organization therefore cost itself money and may have created compliance problems.

At this point readers may be wondering who ran UAIDI’s technology, because not archiving data or checking stakeholder security suggests they did not do it brilliantly.

The answer is HCL – the Indian services giant was awarded a contract to manage UAIDI tech in 2012 and still has a role today.

The audit report found the company selected the provider of Automatic Biometric Identification Systems, but service levels were not met – possibly the reason for duplicate Aadhaar numbers and the other messes mentioned above.

UAIDI chose not to penalize HCL for those failures or the biometrics providers, and even restructured contracts so it could waive requirements to seek liquidated damages.

HP’s role in the mess was providing a document management system that stored Aadhaar enrolment data digitally and on paper but was plagued by inconsistent data collection and delivery that saw the creation of many incomplete records.

The audit concludes that the failure to enforce security standards across the Aadhaar ecosystem means the scheme poses a privacy risk to Indians, while waiving penalties to underperforming suppliers sent the message that sub-standard work was acceptable.

The document concludes with a strong recommendation that UAIDI take heed of the recommendations in the audit – especially those pertaining to information security.

Broader topics

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Okta says Lapsus$ incident was actually a brilliant zero trust demonstration
    Once former supplier Sitel coughed up its logs, it became apparent the attacker was hemmed in

    Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack.

    So said Brett Winterford, Asia-Pacific and Japan chief security officer of the identity-management-as-a-service vendor, at the Gartner Risk and Security Summit in Sydney today.

    Winterford explained that the incident started in January when an Okta analyst observed a support engineer at Sitel – Okta's (former) outsourced customer service provider – attempted to reset a password to Okta's systems but did so from outside the expected network range and did not attempt to fulfil a multifactor authentication challenge. That request sent the reset email to a Sitel email address managed under Microsoft 365 and was made with the attacker's own kit. That last item was highly unusual. Okta can see authentication requests made using the VMs Sitel used to provide support services. But Okta cannot see inside Sitel's MS365.

    Continue reading

Biting the hand that feeds IT © 1998–2022