On a summer day at the end of April 2017, Mr. Truong Duc Luong, Director of VSEC, had a talk on the current hot topic of information security risks at a small conference organized by VSEC in Hanoi, Vietnam. The conference covered many aspects that information security risks could be caused on servers as well as clients.
Link to the Workshop event “Security Risks & Information Security” of VSEC: https://www.youtube.com/watch?v=yuekJt9C1fU
Server risks
Server-related security risks can be caused by a variety of causes, such as Poor Authorization and Authentication, Insecure Direct Object Reference, Missing Function Level Access Control and Using Components with Known Vulnerabilities.
Poor Authorization and Authentication occurs mainly due to lack or no control over authentication. Some applications in Vietnam often use constant values such as IMEI, UUID as the only authentication method. At the conference, the speaker gave some examples of an application using UUID as an authentication method, and a few examples of an application dividing APIs into classes according to different levels of security (Low Security, Medium Security, High Security).
Insecure Direct Object Reference occurs when the programmer exposes references to objects in the system (files, directories, keys in database) without controlling access. Attackers can gain access to unauthorized data. This is one of the topics which most of guests pay attention to due to its serious danger. The speaker provided images of some bank mobile banking apps that encountered this error. The prevention method is to use Access Reference Map and Access Modal Diagram. A guest shared that he used to apply Access Reference Map, but he messed up IDs on clients, so it was not safe. Another guest shared that he did not use Access Reference Map, but its ID field was very complex, so it was difficult for an attacker to guess.
Missing Function Level Access Control occurs when the server does not control whether the user with this function has the right to execute or not. This results in the attacker being able to use unauthorized permissions. The speaker gave some pictures of the case where anyone could use administrator function and get information from Mail server system.
Using Components with Known Vulnerabilities occurs when the server uses components (operating systems, frameworks, libraries, etc.) with published vulnerabilities. Some vulnerabilities have been found and exploited automatically by a certain amount of tools, but this increases the risk of the system being attacked. The best measure to prevent this risk is to regularly update the system to the latest versions, cutting down unnecessary functions. VSEC also shared with everyone a situation when deploying a service to a partner, the partner knows that the framework is old with many vulnerabilities but it cannot be updated to a new version because this affects their system suite.
WannaCry, ransomware virus is dominating in 150 countries today
(Source: theverge.com)
Client risks
Some causes of information security risks from the client include: Insecure Data Storage, Unintended Data Leakage, Insufficient Transport Layer Protection, Broken Cryptography, and Lack of Binary Protections
Insecure Data Storage occurs when the programmer saves important information to the device but does not encrypt or protect it. When there were some cases of saving Tokens in cleartext, the guests also shared about some solutions and prevention in case of encountering such cases.
Unintended Data Leakage: This error belongs to the operating system and framework, this error is beyond the programmer’s wishes. Some points are vulnerable to information such as copy/paste buffers, system logs, and analysis data sent to third parties. The guests also shared about how to install apps to prevent screenshots on Recent App, prevent copying, etc.
Insufficient Transport Layer Protection: This error occurs when applications do not use encryption protocols, or use older versions, or only encrypt a part of transmission line. The speaker gave some statistics about the number of applications that do not check the server’s certificate, ignoring certificate errors. The speaker introduced additional prevention methods that some Vietnamese applications often use, such as encrypting packets sent, creating signatures for packets. However, the speaker also suggested that the entire packet should be encrypted, and gave an example of an exploit by changing the information returned from server.
Broken Cryptography: This error affects the confidentiality of the data to be encrypted. The speaker showed a number of applications that hardcode passwords in files, use insecure base64 encoding and more.
Lack of Binary Protections: The speaker explained process of compiling from java code to apk file, and explained why apk file was easily decompiled. In case of being decompiled, sensitive information is exposed such as: API, encryption and decryption methods, operating structure of the program. The speaker also offered some messing tools such as DexGuard, ProGuard for Android and a number of techniques
Conclusion
As mentioned in the conference by Mr. Luong, Director of VSEC, it was only the main causes of information security risks. There are also many other risks. However, if these risks are well overcome, the enterprise’s IT system could avoid 91% of the risks. Currently, the world is increasingly connected, which not only facilitates favorable conditions for our works but also better supports hackers. It’s time for us to seriously pay attention to information security!