The Curious Case of Poor Security in the Indian Twitterverse
What are the technical, legal and jurisdictional issues around the recent Twitter and email hacks claimed by the ‘Legion Crew’, and what can targeted entities do to better protect themselves?
The article was originally published in the Wire on December 15, 2016.
The term legion, an oft-referred identity in popular culture, has begun to attain recent notoriety in Indian cyberspace due to the spate of hacks being carried out by a group of hackers calling themselves ‘Legion Crew’. The group has compromised four Twitter and/or email accounts in the past two weeks, with confirmed hacks of Rahul Gandhi, Vijay Mallya, Barkha Dutt and Ravish Kumar. Lalit Modi, Apollo Hospitals and the parliament (sansad) have been singled out as future targets, with dire warnings of catastrophic data leaks if the group were to be investigated by the authorities. The ethical impression of the hacks have been divided, with some segments of the public supporting the supposedly hacktivist outlook of the group while others condemning their actions as reckless and invasive. In the meantime, no individuals or entities have been accused of the hacks by the police, with most reports claiming the foreign origin of the hacks being the biggest impediment to the investigations.
A technical and legal perspective
The hacks first began against the politician Gandhi, whose Twitter account was hacked almost two weeks ago, with various demeaning tweets being posted for a few hours before access to the account was restored to the rightful owner. The same hacks were then carried out on business tycoon Mallya’s Twitter account last Friday but this time around, his bank details (apparently obtained from his compromised email accounts) were also leaked to the public via Twitter. Similar hacks targeting both the Twitter and email accounts of Dutt and Kumar were also carried out the past weekend. Sensitive details and data dumps (around 1.5 GB in size) of the journalists were released to the public, along with escalating warnings about future attacks. The data dumps released by the hackers seemed to be indicative that the hackers obtained far more information than they had disclosed via the Twitter hacks and were willing to leverage this data as ransom. Twitter, via both their Indian policy representatives and their international office, has denied any compromise to their systems and has claimed that all accounts were legitimately accessed with valid credentials at the time of the hacks. This leads to three main questions: How were the Twitter and email accounts hacked? What is the recourse, especially in terms of investigation, available to the afflicted parties and the authorities? What can potential targets do to secure their online presence from such attacks?
Regarding their technical nature, all of these hacks were sustained compromises that lasted for a few hours each (a long time in cyberspace) and seemed to be reflective of only a fragment of the power the hackers held over the individual’s online presence. Considering Twitter’s denial that the attacks were due to a security flaw on their end as well as the fact that legitimate login details were used to gain access to the accounts, a rather simple investigation can show that the most likely attack vector used by the Legion Crew for these hacks was a DNS Hijacking attack in combination with a Man in the Middle (MITM) attack. These methods abuse the rather simple and (by default) insecure DNS system that is responsible for directing the world’s Internet traffic including email. While the use of DNS to map websites to the IP address of the systems where they are physically hosted (for instance, www.thewire.in maps to 22.214.171.124 at the time of writing this article) is fairly well known, the DNS system also directs most of the world’s email. Similar to DNS A and AAA name records regarding websites, DNS MX records direct email sent to domain names to the correct email servers where they are processed for storage or forwarding, as required. If these MX records are compromised, then hackers can easily redirect emails sent to legitimate email address of the domain name (for instance, firstname.lastname@example.org) to whatever system they want, including other compromised email addresses.
The original operator of the email account is unaware of any email that is redirected in such a way and has no way of knowing the account has been hacked until they notice they are not consistently receiving emails sent to them, which in well planned hacks can be as for many weeks or even months. These attacks can also be further augmented if the hackers also decide to implement an MITM. In an MITM attack, hackers can redirect all traffic attempting to reach an email account via the MX records to a system they operate by changing the MX records on the domain name server to a malicious system. They can access and store all these emails (along with attachments) via the malicious system and also manipulate the information contained in these emails. Then, either in bulk or selectively, they can re-send the emails to the original email accounts they were intended for from their own servers. The owner will then receive the emails in their inboxes with the apparent impression they are private and being received for the first time. This entire MITM process can be setup in a manner that the emails are rerouted to compromised servers by MX records changes, stored for future analysis and then forwarded to the original recipient account in a matter of seconds.
Given the reliance placed by most websites on email IDs being a primary form of identity authentication, compromising an email ID can give access to most of the social networking, entertainment and even banking websites’ login details of the owner to any individual who has the login details of the account. This is because of the password reset or forgotten password feature available in most services that use only email IDs by default as a form of authenticating account ownership and allowing the user to reset their passwords by setting a reset email to their registered email accounts. Once they gain access to the compromised accounts, hackers can perform these resets with impunity, granting them unrestricted access to the online presence of the owner. In fact, hackers can use these attacks to perform password resets on the email accounts themselves, allowing them unlimited access to past conversation, records and login details that may be stored in the email accounts.
Keeping this background in mind, the most likely methodology behind the hacks is quite simple to explain. The Legion Crew most likely first compromised the email systems of these celebrities by changing the DNS MX records of the email IDs which were registered with Twitter as login IDs for these accounts. This allowed them to redirect emails sent to these email IDs to an alternative system of their choosing. They then used the password reset feature of Twitter, which is similar to those provided by most social networking services, to reset the password of these accounts. However, due to the compromise of the MX records of the domain names used by these celebrities, instead of reaching the inboxes of the entities operating the accounts, the password reset emails were sent to the alternative systems set up by the hackers solely for receiving such emails. After receiving this email, it was a simple matter of resetting the account credentials by clicking on the password reset link on the email and changing the passwords of these accounts to unique passwords only known to the hackers.
The hackers then would (and did) have complete control of the account until the service provider itself intervened and provided an emergency reset along with recommending rectifying the MX records from the malicious one’s inserted by the hackers. The only question left to be answered in the methodology followed by the hackers is how they gained access to the MX records, as DNS records can only be changed using the dashboard of the domain name provider, which in turn is protected by a login password. Allegations have arisen that most (if not all) of the compromised accounts used ‘Net4india’ as their domain name provider. Therefore, it is very possible either that it is a vulnerability on the Net4india systems, an internal compromise of the personnel Net4india and so on leading to access detail to domain name accounts from being compromised. Such security and personnel breaches could have been responsible for providing access to the domain name management dashboard of the hacked celebrities email IDs, after which the attack would have followed the methodology described above by changing the MX records to a malicious system.
The legal avenues available to the affected parties are fairly clear within the Information Technology Act, 2000 and the Indian Penal Code, 1862. Section 66 and Section 66C of the IT Act, which govern hacking and misuse of passwords respectively, would apply along with possible application of the provisions concerning mischief (Section 425), cheating (Section 420) and extortion (Section 383) of the IPC. However, recent investigations have already begun to show that the various jurisdictional symptoms that plague cybercrimes investigations are also hindering investigations for these hacks. The global nature of the internet ensures that the operating servers, attackers, compromised users and unwitting intermediaries are more often than not all located in different jurisdictions, each with their own set of protections, vulnerabilities and laws. For example, investigations by the Delhi police into IP addresses that accessed Gandhi’s Twitter account during the hack have shown that in the period of few hours the account was accessed from the US, Sweden, Canada, Thailand and Romania. Of course, given the pervasive availability of IP spoofing tools, none of these countries is indicative of the actual location of the hacker. Gaining information from these different servers, in order to trace a route of the hacker’s digital geographical journey, is a bureaucratic and legal nightmare with long delays, unanswered Mutual Legal Assistance Treaty requests and unresponsive service providers being the norm. Like in most cybercrime investigation, if the hackers take certain basic steps to mask their identities and geographical location, their odds being caught by traditional law enforcement are negligible. Investigations that have successfully managed to catch such hacker groups, such as the Project Safe Childhood by the FBI against child pornography on the Tor web, take millions of dollars, months of efforts and a high level of skill. Whether these Twitter hacks will generate the sustained, multijurisdictional effort across law enforcement agencies in India required to catch such crimes remains to be seen. Until then, the questions of attribution, liability and justice will remain unanswered like in a majority of large scale cyber hacks.
Given that various other targets have already been singled out by the hacker group, the need for vigilance and improved security is greater than ever. One basic measure, easily available within Twitter and most other services, that should be carried out is enabling two factor authentication (2FA) on both email and social media accounts. 2FA ensures that the user has to input a One Time Password (OTP) generated on a separate device (such as a mobile phone) at the time of logging in or resetting the password for the account. This would mean that even if the hackers obtain the password or compromise the emails being sent to an account, they will be unable to login into an account without also being in physical possession of the device with the OTP generation application. If this option, which is already available within Twitter, was enabled for the four accounts that were hacked, for example, they would have remained protected despite the email account compromise. Further, domain name service providers should also implement Domain Name System Security Extensions and Domain Keys Identified Mail to prevent DNS and email hijacking, as was carried out on Net4India servers in these Twitter attacks. Using HTTPS on all pages on websites will also go a long way in preventing spoofing and securing user information in transit. Finally, nothing can replace customer education and awareness as the most effective tool to combat the growing cyber threats faced by the average netizen. The weakest link in a digital system is often the end user. A core set of security measures that can be percolated into common practice will serve as the first and best line of defence against such attacks in the future, for both the common man and celebrities alike.