How the negligence of the Chinese authorities jeopardizes the safety of citizens.
A team of Chinese researchers analyzed the configuration of nearly 14,000 state-owned websites in China and found security flaws that could lead to cyber attacks.
In the course of the work called SilkSecured, experts considered:
The analysis revealed many problems:
The researchers concluded that the identified problems may not have a quick solution. The vulnerability of systems to cyber attacks highlights "the urgent need for constant monitoring and detection of malicious activity." The need for "strict selection and regular updating" of third-party libraries was also noted. The authors call for a "diversified distribution of network nodes" to improve the sustainability and performance of systems.
The results of the study are unlikely to be well received in Beijing, given the Chinese government's calls for better digital public services and frequently issued guidelines for improving cybersecurity.
A team of Chinese researchers analyzed the configuration of nearly 14,000 state-owned websites in China and found security flaws that could lead to cyber attacks.
In the course of the work called SilkSecured, experts considered:
- domain name resolution;
- using third-party libraries;
- Certificate Authority (CA)services;
- Content Delivery Network (CDN) services;
- Internet Service Providers (ISP);
- implementing HTTPS;
- IPv6 integration;
- implementation of DNSSEC (Domain Name System Security Extensions);
- site performance.
The analysis revealed many problems:
- more than 25% of government website domains did not have name server (NS) records, which may indicate an inefficient DNS configuration and possible unreliability or unavailability.
- A "noticeable dependency" on five DNS service providers has been identified- a lack of diversity that can open up the network infrastructure to single points of failure.
- 4,250 systems used versions of the jQuery JavaScript library that were affected by the CVE-2020-23064 (CVSS: 6.1) XSS vulnerability, meaning that sites could have been the target of a remote attack that has been known for about 4 years.
- problems with DNSSEC signatures were identified – 101 inconsistencies were detected between subdomain records and resource signature records.
- a wide range of vulnerabilities, including header issues, lack of protection against CSRF attacks, lack of content security policies, and leakage of information about internal IP addresses.
- Despite the moderately distributed geography of Internet service providers used by government websites, the researchers considered the redundancy of servers insufficient for optimal security and reliability.
The researchers concluded that the identified problems may not have a quick solution. The vulnerability of systems to cyber attacks highlights "the urgent need for constant monitoring and detection of malicious activity." The need for "strict selection and regular updating" of third-party libraries was also noted. The authors call for a "diversified distribution of network nodes" to improve the sustainability and performance of systems.
The results of the study are unlikely to be well received in Beijing, given the Chinese government's calls for better digital public services and frequently issued guidelines for improving cybersecurity.
