exclusive Five Chinese researchers examined the composition of nearly 14,000 government websites across the country and found worrying errors that could lead to malicious attacks, according to an unpeer-reviewed study published last week. did.
The authors, all from Harbin Institute of Technology, describe their study as examining “security and dependency challenges surrounding China's government web infrastructure.” They claim to have uncovered “critical vulnerabilities and dependencies that could impede the digital effectiveness and security of government web systems.”
Researchers focused on domain name resolution, use of third-party libraries, certificate authority (CA) services, content delivery network (CDN) services, Internet service providers (ISPs), HTTPS adoption, IPv6 integration, and Domain Name System security extensions. (DNSSEC) implementation and website performance.
This paper found many problems.
More than a quarter of domain names used by Chinese government websites were found to have no name server (NS) records. This means it lacks a valid DNS configuration and may be unreliable or inaccessible.
Another finding was a “significant reliance” on five DNS service providers, a lack of diversity and the potential for network infrastructure to become a single point of failure.
“In the event of a technical issue, cyberattack, or regulatory action affecting any of these major providers, a significant portion of our DNS infrastructure could be compromised, with widespread accessibility and security implications. ,” the researchers wrote.
Additionally, 4,250 systems were using a version of the jQuery JavaScript library that was vulnerable to CVE-2020-23064. This meant they were vulnerable to remote attacks, which has been a known issue for about four years.
Additionally, while the ISPs used by government websites were found to be reasonably geographically dispersed, the researchers found that server redundancy was not at the level required for optimal security and reliability. suggested that it had not been reached.
“Among ISPs, China Mobile, China Telecom, China Unicom, and Alibaba Cloud account for 98.29 percent of the market,” the research team found, adding, “If a failure or attack occurs at one of the ISPs, the entire network will be affected. It may be affected.” , causing widespread service outages. ”
Researchers also found chunks of unsigned DNSSEC signatures, even though 101 subdomain records were found to have RRSIG (Resource Record Signing) records.
“This discrepancy may be due to the possibility that a particular DNS record may be signed but such signature is not accurately represented in the Whois database, or that the signature may not cover the entire domain. “This suggests that it may be restricted to specific subdomains,” the authors explained.
And finally, Zed Attack Proxy (ZAP) analysis reveals the following:
- 10,187 Site was not configured
X-Content-Type-OptionsHeaders can make you vulnerable to MIME type spoofing attacks. - 10,323 Sites do not set Content Security Policy (CSP) headers, which can increase the risk of cross-site scripting attacks.
- 8,182 The site lacks anti-CSRF tokens, making it vulnerable to cross-site request forgery (CSRF) attacks.
- 3,203 The site included a wildcard directive in its content security policy.
- 8,158 The site lacked anti-clickjacking headers, making it more vulnerable to clickjacking attacks.
- 3,313 Cookies were not enabled on the site
HttpOnlyflag; - 6,624 What was missing from the cookie
SameSiteattribute. Cookies may be at risk of inappropriate access. - 1,069 Sites can leak information about private IP addresses and potentially reveal sensitive information about system architecture.
The researchers concluded that their investigation revealed “pressing security and dependency issues” that may not be resolved quickly.
“Despite thorough analysis, practical solutions to enhance the security of these systems remain elusive,” the researchers wrote. “Vulnerability to cyberattacks that can facilitate the spread of malicious content and malware highlights the urgent need for real-time monitoring and detection of malicious activity.”
The study also highlighted the need for “rigorous vetting and regular updates” of third-party libraries and advocated “distribution of network nodes, which has the potential to significantly improve system resiliency and performance.” I am.
The study is unlikely to work in Beijing, as the Chinese government is pushing for improvements to government digital services and the app frequently issues edicts to improve cybersecurity. ®
