Wednesday, April 20, 2016

[RESEARCH] Banks In Hong Kong Running With What Services

After the research on SSL certificate grading on banks in Hong Kong, I am going to do another research on banks in Hong Kong to see what services they are running with, such as web server or protection. I am based on the List of banks in Hong Kong for the test. The standard site URL and personal online banking URL have been tested for the purpose. The web application vulnerability testing is not in the scope. The test is carried out on April 20, 2016.

DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 are running with Akamai which provides DDoS/DoS protection to their clients. Meanwhile, Akamai also provides Web Application Firewall (WAF) to their clients. WAF can protect the web applications from being attacked by SQLi, XSS, CSRF and etc, even the web applications have these kind of vulnerabilities. I will not discuss about the WAF bypass here. Anyway, WAF can do the job well in general speaking.

Public Bank (Hong Kong) 大眾銀行(香港) and Chong Hing Bank 創興銀行 are running with G2 Web Services which is also considered to provide secure services.

It seems that almost all the bank websites in Hong Kong are protected by firewall or/and WAF as I cannot fetch any information from some of the sites during the test. It does not mean that the sites that I can fetch information are not protected by firewall or/and WAF.

In conclusion, I am sure that DBS Bank (Hong Kong) 星展銀行(香港) and Standard Chartered Bank (Hong Kong) 渣打銀行 cannot be DDoS/DoS.

With reference to my previous research on SSL certificate, DBS Bank (Hong Kong) 星展銀行(香港) is the most secure bank in Hong Kong at the time of this writing. Their IT department is doing a great job on security. If their IT department can implement HPKP on the SSL certificate, it will be very great. Anyway, congratulations!

REFERENCE

The Personal Online Banking URL :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- System Details - Powered by: Servlet/3.0

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- System Details - Running on: AkamaiGHost

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.


The standard site URL :

China CITIC Bank International 中信銀行國際
- http://www.cncbinternational.com/home/en/index.jsp
- System Details - Powered by: Servlet/2.5

Chong Hing Bank 創興銀行
- http://www.chbank.com/en/index.shtml
- System Details - Running on: G2

Dah Sing Bank 大新銀行
- http://www.dahsing.com/en/html/index.html
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

DBS Bank (Hong Kong) 星展銀行(香港)
- https://www.dbs.com.hk/index/default.page
- System Details - Running on: AkamaiGHost

Fubon Bank (Hong Kong) 富邦銀行(香港)
- http://www.fubonbank.com.hk/web/html/index_e.html
- System Details - Powered by: Servlet/3.0

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- http://www.icbcasia.com/ICBC/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BA%9A%E6%B4%B2/EN/
- System Details - Running on: Microsoft-IIS/7.5 and Powered by: ASP.NET

Public Bank (Hong Kong) 大眾銀行(香港)
- http://www.publicbank.com.hk/en/home
- System Details - Running on: G2

Shanghai Commercial Bank 上海商業銀行
- http://www.shacombank.com.hk/eng/personal/index.jsp
- System Details - Running on: IBM_HTTP_Server

Standard Chartered Bank (Hong Kong) 渣打銀行
- https://www.sc.com/hk/
- System Details - Running on: AkamaiGHost

Wing Lung Bank 永隆銀行
- http://www.winglungbank.com/wlb_corporate/en/index.html
- System Details - Running on: IBM_HTTP_Server

* The banks that not in the list are not getting any information during the test.

That's all! See you.


Tuesday, April 19, 2016

[RESEARCH] SSL Certificate Grading of Banks in Hong Kong

In order to understand the information security condition in Hong Kong, I select website of banks in Hong Kong for SSL certificate checking. The check is aimed for testing the strength of the SSL certificate, Man-In-The-Middle attack prevention and vulnerability. The web application vulnerability and corporation online banking are not in the testing scope. However, most SSL certificates may be shared with sub-domains.

The check are based on "List of Banks In Hong Kong". I use Qualys SSL Labs online testing tool for the check.

The result of the check (the check is carried out on April 19, 2016) is rated in SSL Grade Ranking :

Grade A
DBS Bank (Hong Kong) 星展銀行(香港)

Grade A-
(1) Bank of China (Hong Kong) 中國銀行(香港)
(2) Bank of East Asia 東亞銀行
(3) China Construction Bank (Asia) 中國建設銀行(亞洲)
(4) Chong Hing Bank 創興銀行
(5) Citibank (Hong Kong) 花旗銀行
(6) Dah Sing Bank 大新銀行
(7) Fubon Bank (Hong Kong) 富邦銀行(香港)
(8) OCBC Wing Hang Bank 華僑永亨銀行
(9) Public Bank (Hong Kong) 大眾銀行(香港)
(10) Standard Chartered Bank (Hong Kong) 渣打銀行

Grade C
(1) Hang Seng Bank 恒生銀行
(2) Hongkong and Shanghai Banking Corporation 滙豐銀行
(3) Industrial and Commercial Bank of China (Asia) 工銀亞洲
(4) Shanghai Commercial Bank 上海商業銀行
(5) Wing Lung Bank 永隆銀行

Grade F
China CITIC Bank International 中信銀行國際

The following three banks are implemented HSTS (HTTP Strict Transport Security) to force the users' browser to use HTTPS connection. This has some degree of Man-In-The-Middle attack (MITM) protection. However, the HPKP (HTTP Public Key Pinning) is not implemented. Therefore, it has a risk of being attacked by MITM attack. Meanwhile, China CITIC Bank International 中信銀行國際 website has POODLE vulnerability for the SSL protocol that makes her grading down to F.

(1) China CITIC Bank International 中信銀行國際
(2) Chong Hing Bank 創興銀行
(3) Fubon Bank (Hong Kong) 富邦銀行(香港)

Even the highest ranking DBS Bank (Hong Kong) 星展銀行(香港) do not implement HPKP (HTTP Public Key Pinning), she has a risk to face Man-In-The-Middle attack even she used HSTS. Attackers can use fake SSL certificate to bypass HSTS protection when HPKP is not in force.

It is very interesting that the largest bank in Hong Kong (Hongkong and Shanghai Banking Corporation 滙豐銀行) only bearing a Grade C rank. I wonder why no website of banks in Hong Kong bearing a Grade A+ SSL certificate even my personal site is grading A+.

[Edit after several hours of the post :
I think the IT department of the banks may misunderstand or may be not fully understood the purpose of SSL certificate for a website. In addition, they may even do not know the limitation of HSTS that can be bypassed by the attackers. In my opinion, the best practice of SSL certificate implementation is to adopt the HPKP to reduce the MITM attacks risk at the moment.

The low grading of the rank is not the excuse of backward compatible to old browsers. To compatible to old or vulnerable browsers will void the security of the website for sure. Some low grading website of the banks even compatible to insecure protocol (RC4 {please refer to the bottom of this article for details}) which will place a trap to their clients.]

In conclusion, all website of banks in Hong Kong are facing a risk of being attacked by Man-In-The-Middle attack. As reference to this result, it is predicted that most websites in Hong Kong are not good at SSL Grading.

REFERENCE

I only check the licensed banks incorporated in Hong Kong. The following is the summary of the checking :

Bank of China (Hong Kong) 中國銀行(香港)
- Personal Customers - https://its.bochk.com/login/ibs_lgn_index_e.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=its.bochk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Bank of East Asia 東亞銀行
- Cyberbanking - https://mobile.hkbea-cyberbanking.com/servlet/FRLogon?Lang=Eng
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=mobile.hkbea-cyberbanking.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

China CITIC Bank International 中信銀行國際
- Personal - https://ibanking.cncbinternational.com/CKWPortal/appmanager/Portal/CKWPerson?isPPB=0&displayLang=en_US
- Overall Rating - F (https://www.ssllabs.com/ssltest/analyze.html?d=ibanking.cncbinternational.com)
- Vulnerable to POODLE (TLS) and HPKP is not in force. But HSTS is in force.

China Construction Bank (Asia) 中國建設銀行(亞洲)
- Personal Banking - https://online.asia.ccb.com/PersonalHKWeb/signin/SigninController.jpf
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=online.asia.ccb.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Chong Hing Bank 創興銀行
- i-Banking - https://www.ibanking.chbank.com/index0041.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ibanking.chbank.com)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Citibank (Hong Kong) 花旗銀行
- Online - https://www.citibank.com.hk/HKGCB/JSO/signon/DisplayUsernameSignon.do?locale=en_HK
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.citibank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Dah Sing Bank 大新銀行
- ebanking Personal - https://www.dahsing.com/eBank/jsp/login/ebank_id_login_frm.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.dahsing.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

DBS Bank (Hong Kong) 星展銀行(香港)
- iBanking - https://internet-banking.hk.dbs.com/IB/Welcome
- Overall Rating - A (https://www.ssllabs.com/ssltest/analyze.html?d=internet-banking.hk.dbs.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Fubon Bank (Hong Kong) 富邦銀行(香港)
- e-banking - https://www.ebank.fubonbank.com.hk/index0128J.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebank.fubonbank.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Hang Seng Bank 恒生銀行
- Personal e-Banking - https://e-banking1.hangseng.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zH2cTAwgAykcC5Q3CfCydDEy9LAzMDL39vNzMDGDyROh2dnf0MDH3AfLDPF0NPE2cTAxMfd0MDTyNCej288jPTdUvyA2NKHdUVAQA-SNG7A!!/dl3/d3/L2dJQSEvUUt3QS9ZQnZ3LzZfMEczVU5VMTBTRDBNSFRJN01DNDAwMDAwMDA!/
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=e-banking1.hangseng.com)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Hongkong and Shanghai Banking Corporation 滙豐銀行
- Personal Internet Banking - https://www.ebanking.hsbc.com.hk/1/2/logon?LANGTAG=en&COUNTRYTAG=US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.ebanking.hsbc.com.hk)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

Industrial and Commercial Bank of China (Asia) 工銀亞洲
- Personal/Private Banking - https://myebankasia.icbc.com.cn/icbc/perbank/index.jsp?areaCode=0110&dse_locale=en-US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=myebankasia.icbc.com.cn)
- No protocol vulnerability found but insecure RC4 protocol is in force. HSTS and HPKP are not in force.

OCBC Wing Hang Bank 華僑永亨銀行
- Personal Customer - https://ebanking.ocbcwhhk.com/jsp/chs/personal/0830/errorInvalidDevice.jsp
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebanking.ocbcwhhk.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Public Bank (Hong Kong) 大眾銀行(香港)
- Net Banking - https://ebank.publicbank.com.hk/index0028.html
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ebank.publicbank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Shanghai Commercial Bank 上海商業銀行
- Personal Internet Banking - https://www.shacombank.com.hk/ibanking/servlet/com.ibm.dse.cs.servlet.CSEstablishSessionServlet/customer/en_US
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.shacombank.com.hk)
- No protocol vulnerability found but HSTS and HPKP are not in force.

Standard Chartered Bank (Hong Kong) 渣打銀行
- Online Banking - https://ibank.standardchartered.com.hk/nfs/login.htm?lang=en_US
- Overall Rating - A- (https://www.ssllabs.com/ssltest/analyze.html?d=ibank.standardchartered.com.hk)
- No protocol vulnerability found and HSTS is in force. But HPKP is not in force.

Wing Lung Bank 永隆銀行
- Personal Net Banking - https://www.winglungbank.com/EnNbMainR.html
- Overall Rating - C (https://www.ssllabs.com/ssltest/analyze.html?d=www.winglungbank.com)
- No protocol vulnerability found but HSTS and HPKP are not in force.


About Insecure RC4
Imperva Security Response to OpenSSL and TLS/RC4 Vulnerabilities
Killing RC4 (softly)

See Also : [RESEARCH] Banks In Hong Kong Running With What Services

That's all! See you.


Friday, April 01, 2016

HOWTO : Netdata on Ubuntu 14.04.4 LTS

netdata is a highly optimized Linux daemon providing real-time performance monitoring for Linux systems, Applications, SNMP devices, over the web!

It tries to visualize the truth of now, in its greatest detail, so that you can get insights of what is happening now and what just happened, on your systems and applications.

This is what you get:

- Beautiful out of the box bootstrap dashboards
- Custom dashboards that can be built using simple HTML (no javascript necessary)
- Blazingly fast and super efficient, written in C (for default installations, expect just 2% of a single core CPU usage and a few MB of RAM)
- Zero configuration - you just install it and it autodetects everything
- Zero dependencies, it is its own web server for its static web files and its web API
- Extensible, you can monitor anything you can get a metric for, using its Plugin API (anything can be a netdata plugin - from BASH to node.js)
- Embeddable, it can run anywhere a Linux kernel runs

Okay, what will it be looked like? Here you are.

Step 1 :

sudo apt-get update
sudo apt-get install build-essential zlib1g-dev gcc make git autoconf autogen automake pkg-config


Step 2 :

git clone https://github.com/firehol/netdata.git
cd netdata
sudo ./netdata-installer.sh


Please "Enter" to install.

Step 3 :

sudo nano /etc/init/netdata.conf

Make the file looks like :



Step 4 :

To start it :

sudo start netdata

To stop it :

sudo stop netdata

To restart it :

sudo restart netdata

Remark : it will start automatically on every reboot.

Step 5 :

Start browser and point it to :

http://192.168.0.100:19999

* where 192.168.0.100 is the IP address of the server

Upgrade/Update

cd netdata
git pull
sudo ./netdata-installer.sh


That's all! See you.