Chinese government website security is often worryingly bad, say Chinese researchers
Bad configurations, insecure versions of jQuery, and crummy cookies are some of myriad problems
Exclusive Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.
The authors, all from the Harbin Institute of Technology, described the study as scrutinizing "the security and dependency challenges besieging China's governmental web infrastructure." They claim to have revealed "substantial vulnerabilities and dependencies that could impede the digital efficacy and safety of governmental web systems."
The researchers considered domain name resolution, utilization of third-party libraries, Certificate Authority (CA) services, Content Delivery Network (CDN) services, Internet Service Providers (ISP), the adoption of HTTPS, IPv6 integration, Domain Name System Security Extensions (DNSSEC) implementation, and website performance.
The paper found plenty of problems.
Over a quarter of domain names used by Chinese government websites were found not to have name server (NS) records – meaning it’s possible they lack effective DNS configuration and could be unreliable or inaccessible.
Another finding was a "notable dependence" on five DNS service providers – a lack of diversity that could open the network infrastructure to single points of failure.
"In the event of a technical issue, cyber attack, or regulatory action affecting one of these major providers, a significant portion of the DNS infrastructure could be compromised, impacting accessibility and security across a wide area," wrote the researchers.
Furthermore, 4250 of the systems used versions of the jQuery JavaScript library that are vulnerable to CVE-2020-23064 – meaning they were open to a remote attack that has been a known problem for around four years.
- Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
- More than 24 vulnerabilities fixed in Xiaomi, Google Android flavors … slowly
- Researchers claim Windows Defender can be fooled into deleting databases
And although ISPs used by government websites were found to have a geographical spread that was moderately distributed, the researchers suggested that server redundancy fell short of what is required for optimal security and reliability.
"Among the ISPs, China Mobile, China Telecom, China Unicom, and Alibaba Cloud occupy 98.29 percent of the market," found the team, which explained that "if one of the ISPs experiences a failure or attack, the entire network could be affected, causing widespread service outages."
The researchers also found a slate of unsigned DNSSEC signatures – even though 101 subdomain records were found to have RRSIG (Resource Record Signature) records.
"This discrepancy suggests that while specific DNS records may have been signed, such signatures might not be accurately represented in the whois database, or alternatively, the signing may be limited to certain subdomains rather than encompassing the entire domain," explained the authors.
And finally, a Zed Attack Proxy (ZAP) analysis found:
- 10,187 sites were not configured with the
X-Content-Type-Options
header, which may make them vulnerable to MIME-type spoofing attacks; - 10,323 sites did not set the Content Security Policy (CSP) header, which may increase the risk of cross-site scripting attacks;
- 8,182 sites lacked Anti-CSRF Tokens, making them vulnerable to cross-site request forgery (CSRF) attacks;
- 3,203 sites included Wildcard Directives in their content security policies;
- 8,158 sites were missing anti-clickjacking headers, making them more vulnerable to clickjacking attacks;
- 3,313 sites had not enabled cookies for the
HttpOnly
flag; - 6,624 cookies lacked the
SameSite
attribute, which may put the cookies at risk of improper access; - 1,069 sites leak info about private IP addresses, which may reveal sensitive information about system architecture.
The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix.
"Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection."
The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance."
The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity. ®