Indian Railways Should Secure Information Before Monetising It
pnr status java app
indian railway pnr availability seats
indian railways pnr online
IRCTC may or might not have already been hacked; the railways does because there are not any compulsory disclosure laws in India n’t must inform you about it. Indian Railways (IR) has other portals for ticket bookings, IRCTC is only one of the major public-facing portal sites. Most of these railroad track portals are still running on protocols that are unsecured, they don’t therefore fall victim for hackers easily and use any type of security certifications yet.
It is no secret the railways has bugs in their portals, the notorious bug of captcha being text is obviously laughed about in reddit and quora threads. If you're a railway buff and are knowledgeable about the Indian Railway Fan Club Organization, you'll understand how the moderators had to block folks posting internal info from Integrated Coaching Management System, an internal portal site of the railways.
OTAs (Online Journey Aggregators) exploit several security bugs and strike railway servers constantly, data mining thousands of data records. Some even decrypt encrypted content in breach of the IT Act. They are even monetizing real-time railway info from the small permissions to utilize them. You can’t have any railway property illegally according to the RAILWAYS PROPERTY (Unlawful Possession) Act 1966; it follows that railway data is its property too. Right now data like train standing, PNR status, ticket availability would fall beneath the data that is public. But OTAs getting it using exploits in code make the data prohibited, irrespective of it being public already. These practices of OTAs could prove powerful at a time of disaster.
When Estonia was attacked it showed the world how impactful cyber warfare may be. Everything from banking to communications was hit. When Snowden made the revelations regarding the scale of NSA security snooping, every other authorities began fortifying its IT infrastructure and started using precisely the same strategies as the NSA. The Chinese aren't far behind the Americans and frequently use their great firewall for strikes and both censorship.
Railways is critical infrastructure to the nation, any weakness therein can be a serious danger. Realizing that, IR came up in 2008 with a Simple Security Policy. But a recent CAG report from 2015 on IT infrastructure for crew management points out that almost 90-100% employees utilize the same password, sidelining the system made for role-based access management. Several contract workers are supplied with exactly the same user name and password defying the whole sense of the policy.
At the same time there's no place for anyone to report security bugs, although the manner railways is using Information Technology to reach individuals and help them over social media is astonishing. Bug bounty software are frequently utilized by the business to address it’s the expertise being used by security problems from professional security experts and hobbyists. In the current budget year, Indian railways is spending 50 crores to finance inventions in the space of information, part of which focus on cyber security according to Mr. Suresh Prabhu.
What the railways is forgetting to understand is this: purchasing a cyber-security alternative is not planning to solve their problems. It is the culture in CRIS which needs to transform. The minister continues to be stressing on the significance of change in the 150-year old organization. If it intends to handle cyber security, it needs to enhance CRIS personal. Railways can set an example by constructing a skilled IT team to help CRIS and re -innovate itself. The net goes really fast, ’s security is tomorrow’s susceptibility today as well as the railways have to start adapting to it.
Railways recently started embracing the National Data Sharing & Accessibility Policy (2012) to an extent; the chief data officer for railways has opened up a number of the train time tables (around 2800 trains) on Open Government Info Portal. The policy needs to classify datasets into public, private & restricted data. It is high time railways start releasing open data, open API’s improving its data practices and shutting security loopholes of sensitive information by possibly embracing a bug bounty program. It is necessary for railways to secure info is ’sed by it before it tries to monetize it.