PISA had organized the " Hong Kong e-Commerce Security Survey 2003 ".
| FULL REPORT (560KB) can be downloaded here | |
|
The study was conducted in an ethical, legal and non-intrusive approach. Our methodology in the e-Commerce Security study did not include a penetration test. No unauthorized access, sniffing and jamming of traffic was attempted. We would warn that : |
|
| 31-Jan-2004 (Sat) 2:00pm-5:30pm |
Seminar:
Survey and Recommendations |
Motivation
e-Commerce Security is crucial to the development of e Commerce, PISA would like to know the current situation in Hong Kong. Unfortunately, there are not many published articles or papers that can be found in Hong Kong depicting the situation. All these motivated PISA to conduct a e-Commerce security study (the “study”) in Hong Kong.
Objectives
The aim of the study is NOT to draw any conclusion about the e-Commerce security level of Hong Kong as a whole or any particular sectors, BUT to highlight areas found to be inadequate and propose practices that can be adopted to improve the situation.
Methodology
The project was started in February 2003 and ended in October 2003 with 10 PISA members. 25 electronic commerce web sites of a variety of industries in Hong Kong were chosen to be studied. 17 of them are from financial sectors and 8 of them are from non-financial sectors.
A total of 45 questions covering 3 aspects, namely, infrastructure, application and operation, were used. In the infrastructure aspect, the study examined the DNS zone transfer setting, choice of web servers & service patch level, X.509 certificate management and server SSL configuration of the websites. In the application aspect, the study looked into the items related to web page, session and password management. In the operation aspect, the study took a look of the control procedure related to the website operation and transaction. Common and easily available tools, such as Internet Explorer, Netscape browser and basic network commands, are used to facilitate the study.
DNS Zone Transfer and Server Patch Level
DNS zone transfer, which is originally used to replicate DNS information to multiple name servers for fault-tolerance and network performance consideration, is often misused by hackers to map a company’s Internet network topology. The study found that some companies failed to restrict the zone transfer. The study also found that not every company had their web server version and patch level up-to-date that would give hackers chances to exploit well-known vulnerabilities.
SSL and Encryption of Communication
SSL is now a baseline technology used by websites to provide confidentiality and authentication between the web browser and web server. But the study found that there were 12% of websites did not employ SSL in the websites for logon or making transactions. For those employed SSL, some of them failed to properly show the SSL padlock at the lower right hand corner of the browser on the logon page. The SSL padlock is an indicator for end users to easily recognise the use of SSL in a website and verify the certificates before proceeding the logon or online transaction.
Although most of our sample websites supported high grade encryption and secure SSL version, the study found that some still supported low grade encryption and less secure SSL version. As SSL allows “no encryption but MAC only” mode, one of the questions is to find out if any website supports this insecure mode. The study found that the answer of this question was YES.
Digital Certificate Management
X.509 certificate is a necessary component when SSL is used so the study has a few questions related to X.509 certificate management. The study found that all the certificates provided by the sample websites were within their validity period and their certificate chains were complete. However, some of the websites’ certificates were still in version 1 which is out-dated and unable to provide necessary security protection such as Certificate Revocation List distribution point (CRLdp) and basic constraints. On the other hand, some websites failed to provide CRLdp even though their X.509 certificates are in version 3.
Application aspect
Regarding the application aspect, the study took a quick look of the content of some web pages (say, the logon page) in order to see if they contained sensitive information and comments. The results showed that some websites need to do more to filter out sensitive information and comments from the web pages before production. Besides, they have to pay more attention to the randomness of the session ID, automatic time-out of a logon session, disabling back page and browser history feature, and the use of cookie in a secured manner.
Password Management
The study reviewed the sample websites based on good password practices, such as adopting strong passwords, disallowing password reuse, periodic changing of password and forcing to change password on first time access. The results found that there are rooms for improvement in these areas.
Operation Control
The study found that some companies required face-to-face authentication during account opening. However, it is less common for the second authentication, such as entering password or digital signature before approving a transaction. During the study, the project team noticed some exceptions that are not part of the scope. These included leaking of database structure during SQL exception and leaking of user ID and password because of the use of HTTP GET method.
Recommendations
The study report has provided a number of recommended security practices that can be deployed by the companies. However, as new security challenges will appear from time to time, security professionals, the management, the users, the government and the general public have to work together to meet the challenges.
