How secure is .rs?

In 2014, we did a report titled “National domain security analysis” (pdf) under RNIDS (Serbian National Internet Domain Registry) sponsorship. This study was then presented (same year) on debate panel “3u1” during “European Cyber Security Month”, organised by ENISA, the European Union Agency for Network and Information Security and RNIDS.

Participants, general public and media showed broad interest in this study and it was well received by media at that time. Blic, B92, Live TV, IT Svet, PC Press, Biznis i Finansije, Personal Mag, Dnevnik, etc.

This resulted in more panels, presentations and improvements over original report, mainly at ETF (Faculty of Electrical Engineering), FON (Faculty of Organizational Sciences), Faculty of Security Studies and others.
10409550_778830478822059_8382614251388592754_n.jpg
10928823_850372695001170_9064613613954794173_n.jpg
IMG_0113.JPG

Our hope was that this 2014 report and analysis will serve as foundation for business and technical decision makers. As the security threat increases and privacy concerns heighten, the relevancy and timeliness of this report is significant, underscoring the imperative that data security, protection and privacy need to be integrated into every service, business process, web site and mobile application.

2014 report and analysis (pdf) #

This study covered 86.291 national internet domains (.rs)

Covered points:

Serbia on the Internet in 2014:

Results of this analysis where not encouraging to say at least. Out of 79.1% domains that had web service active, only 54.3% had HTTPS enabled, and out of them only 14.2% had HTTPS set correctly. On the mail transport side, out of 81.9% of domains that had SMTP service active, 49.1% supported encryption and out of them only 13.5% had it set correctly.

On top of that:

HTTPS & usage of HSTS #

During our panels, discussions, interviews and training’s we explained dangers of encryption miss-configuration, usage of obsolete encryption standards and protocols. One of major points was explaining that (HSTS) should be enabled for all web encryption setups. In a 2009 paper, Moxie Marlinspike introduced the concept of SSL stripping, a man-in-the-middle attack in which a network attacker could prevent a web browser from upgrading to an SSL connection in a subtle way that would likely go unnoticed by a user.

Screen Shot 2016-01-09 at 20.36.17.png

The HTTP Strict Transport Security (HSTS) specification was subsequently developed, drafted in 2010, and accepted in 2012 as RFC to combat these attacks. Since 2012 all major banks, retail companies, etc. in world (except in under-developed countries - including Serbia) adopted this technology and implemented it to combat MiTM attacks. The major reason for us to push HSTS during our presentations and conversations, was discovery that only 0.002% of all national domains in Serbia used it.

Privacy on the Internet #

Second major point was also trying to engage audience about need, to have privacy on the Internet. The one most common statement among students at that point was: “We don’t care about rights to privacy, because we have nothing to hide”. For perfect answer, we can quote (Edward Snowden): “This is not different than saying: We don’t care about freedom of speech because we have nothing to say”.

without-encryption.jpg

2016 addition to the report: e-Banking in Serbia #

In 2016 we analyzed how banks in Serbia protect users with encryption during web access, to see how well users are protected. The criteria used in this addition is highly relevant to the security and privacy practices banks must implement to maximize online trust and consumer protection in e-banking.

This analysis include:

This analysis does NOT include:

Like in our 2014 results for overall national domain security, new survey and analysis results are not encouraging to say at least. To some extent we can safely say that they are frightening.

The e-Banking preliminary summary #

plaintext.png

Screen Shot 2016-01-09 at 22.56.49.png

Conclusion #

With above mentioned failures to meet the best practices securing data in transit, I will leave any comments to the reader. Mine would not be appropriate after observing above mentioned failures.

It might be worth mentioning that EU HQ’s of some Serbian banks have all these security features implemented correctly, while in Serbia they do not. Maybe, if this was regulated by local Serbian law, and if that law would implemented in such way to protect consumers, banks would take care to implement best possible standards to protect it’s customers. Unfortunately, majority will continue to pay “Account maintenance fee” on monthly basis and accept the conditions.

If you liked this, I would highly recommend you to also read “E-banking: Defective by design” by Dušan Dželebdžić i Žarko Ptiček




UPDATE 2016/01/11: This blog entry was kindly translated to Serbian: Koliko je naš e-banking zaista siguran? and published by Netokracija.rs

UPDATE 2016/01/14: Another blog showed up (not related to our work), mostly same topic different domains on Serbian “Zašto se browseri plaše sajtova državne uprave?”

UPDATE 2016/01/15: Looks like this is not only in Under-developed countries, as Brian X. Chen @bxchen - Lead consumer technology writer and author of the Tech Fix column for @nytimes sent unrelated tweet on almost same topic noticing “World of Warcraft has better password security (2-step verification) than some banks (e.g. Capital One). That’s nuts.” in his tweet published here.

UPDATE 2016/01/22:
First bank that officially responded to this report was Societe Generale Serbia. Public statement was published here and here. This was not surprising since this is one of the banks that actually took all but HSTS measures and had A- in report.

Screen Shot 2016-01-23 at 11.11.07.png



UPDATE 2016/03/07:
Second bank to respond and correct issues mentioned in above survey was UniCredit Bank.


 
100
Kudos
 
100
Kudos

Now read this

Ettus Research USRP B200/B210 simple case

Hi there. If you are into SDR and out looking for signals, you have probably heard about Ettus Research products. In case you have bought B200 or B210 product you know that these will be delivered without any case/box. Since this product... Continue →