India's technology department uses Gmail and Yahoo to host official e-mail corespondence, which one IT security vendor believes can expose the government to significant security vulnerabilities.
The Web site of the country's Department of Electronics and IT (DeitY), which lists the contact details of ministers and secretaries, reveals several e-mail addresses hosted on the popular, free Web-based e-mail services. Milind Deora, India's minister of state for communications and IT, has the address "email@example.com", while his prevate secretary Dinesh Arora secured the more personal "firstname.lastname@example.org". Private secretary D.K Rana can be e-mailed at "email@example.com".
The minister did not respond to requests for comment about the potential security threat of using these Web-based services for official correspondence and listing these on the government's official Web site. The details remain on the site.
In an interview with ZDNet, Pavan Thatha, founder of Chennai-based security startup Array Shield, said there were risks in the government's use of Gmail addresses.
Hackers could crack the password using software tools, password databases, and social engineering techniques. One simple method would be to try and answer password reset questions, such as "what is your mother's maiden name?", commonly used to verify the user's identity.
"There are so many password databases that have been breached, and there is a huge dictionary of frequently used passwords which can be used to compromise the account," Thatha said. "In that way, it can potentially be very dangerous."
However, he noted the e-mail accounts listed may not be used for official correspondence.