A group of Chinese researchers analyzed the configuration of almost 14,000 state sites of China and discovered security deficiencies that can bring To cyber attacks.
In the course of work called Silksecured, experts considered:
- Permission of domain names;
- The use of third -party libraries;
- Certificate Authority, Ca);
- Content delivery services, CDN);
- Internet providers (Internet service providers, ISP);
- Implementation of https;
- integration IPV6;
- DNSSEC implementation implementation (Domain Name System Security Extensions);
- Site performance.
During the analysis, many problems were discovered:
- more than 25% of the domains of state sites did not have records of Name Server (NS), which may indicate an ineffective DNS configuration and possible unreliability or inaccessibility.
- A “noticeable dependence” on five providers of DNS services -services – Lack of diversity that can open a network infrastructure for uniform refusal points.
- in 4,250 systems used versions of the JavaScript jquery library, subject to XSS-vaziima CVE-2020-23064 (CVSS: 6.1), that is, sites could become the target of a remote attack, known for about 4 years. DNSSEC signatures-101 disagreement between subdomains and resource signatures were found.
- A wide range of vulnerabilities, including headlines, lack of protection against CSRF attacks, lack of content security policies and leakage of information about internal IP addresses.
- Despite the moderately distributed geography of Internet providers used by government sites, the researchers calculated the redundancy of servers insufficient for optimal safety and reliability.
Researchers came to the conclusion that the identified problems may not have a quick solution. The vulnerability of the systems to cyber attacks emphasizes the “acute need for constant monitoring and detection of harmful activity.” The need for “hard selection and regular updating” of third -party libraries is also noted. The authors call for the “diversified distribution of network nodes” to increase the stability and performance of systems.
The results of the study are unlikely to be favorably perceived in Beijing, given the calls of the Government of the PRC to improve digital public services and often issued instructions on improving cybersecurity.