(Key notes at VSECâs mini workshop âInformation Security Risksâ)
On a sunny day in late April 2017, Truong Duc Luong, CEO of VSEC, delivered a speech on the hot topic of information security risks at a mini-workshop held in Hanoi, Vietnam. The workshop covered quite a few aspects of how information security risks can be created on both server side and client side.
Server-related risks can occur from quite a few reasons, including Poor Authorization and Authentication, Insecure Direct Object Reference, Missing Function Level Access Control, and Using Component with Known Vulnerabilities.
Poor Authorization and Authentication occurs mainly due to the lack of authentication control. Some applications in Vietnam often use constant values like IMEI, UUID as the only authentication method. At the workshop, the speaker gave some examples of how an application used the UUID as its authentication method and some examples of how to distribute APIS into subclasses with different levels of security (Low Security, Medium Security and High Security).
Insecure Direct Object Reference occurs when developers display references to objects in the system (file, folder, types of key in the database) that do not control access. Hackers can access to unauthorized data. This was one of the topics that attracted the most attention because of its dangerous level. The speaker provided images of some mobile banking applications that encountered this error. The prevention measure recommended was to use Access Reference Map and Access Modal Diagram. A guest said he used to use Access Reference Map but it caused the IDs of clients to be tangled, so it wasnât safe. Another guest said he didnât use Access Reference Map but he thought when IDs were tangled, hackers found it hard to guess.
Missing Function Level Access Control occurs when servers do not control if users using this function have the right to execute or not. This results in hackers being able to use authorized access. The speaker illustrated a case where anyone can use the function of an administrator, taking information from the mail server system.
Using Component with Known Vulnerabilities occur when a server uses the components (operating system, framework, library, etc.) that have had vulnerabilities published. Some errors are found and exploited automatically by some tools, which increases the risk of system attacks. The best solution to prevent this risk is to often update the system to the latest version and cut down unnecessary functions. VSEC also shared with all the guests a situation when deploying services to a partner: The partner knew that this framework was old, had many vulnerabilities but they could not update it to the latest version because this would affect their entire system.
WannaCry, a powerful ransomware virus that has attacked 150 countries these days
Client-side risks include Insecure Data Storage, Unintended Data Leakage, Insufficient Transport Layer Protection, Broken Cryptography, and Lack of Binary Protections, to name a few.
Insecure Data Storage occurs when developers save important information into devices without encryption or protection. At the talk, when the speaker gave some cases saving Token in the device as cleartext, the guests also shared some plans and solutions for this case.
Unintended Data Leakage is an error that belongs to operating systems and frameworks, and it is beyond the desire of developers. Some points are susceptible to disclose information like copy/paste buffer, system log, analysis data sent to a third party. The guests shared their view on installing applications to prevent the screen capture of Recent App, prevent copying without permission, etc.
Insufficient Transport Layer Protection occurs when applications do not use encryption protocols, or if they do, they only use older versions or just encrypt a portion of the transmission line. The speaker gave some statistics on a number of applications that did not check certificates of servers and ignored certificate errors. Then the speaker mentioned more prevention measures often used in some Vietnamese applications like encryption of the sent information packets and creation of a signature for each packet. But the speaker suggested that they should encrypt the received packets as well and he also gave some examples about the exploit by changing the received packets from the server side.
Broken Cryptography is an error that affects the confidentiality of data being encrypted. The speaker gave some images of some applications hardcoding encrypted passwords in files, using unsafe base64 encode, etc.
Lack of Binary Protections: The speaker presented the process of compiling from java code to apk files and explained why apk files were easily decompiled. When decompiled, sensitive information is revealed like: API, encryption and decryption methods, structure of the program, etc. The speaker also gave some tangle tools like DexGuard, ProGuard for Android and others.
Covered in the mini-workshop delivered by Luong, CEO of VSEC, were only the main reasons for information security risks. There are more. However, by fixing these errors, your systems are able to avoid 91% of threats. The world is now more connected, facilitating better our work and also hackersâ. Itâs high time that you took information security really seriously!