13 Mar, 2023

Missing encryption on sensitive data

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

“MESD” or “MED”, which stands for “Missing Encryption on Sensitive Data”. This is a cybersecurity issue where sensitive data is not adequately protected through encryption, leaving it vulnerable to unauthorized access or interception. Encryption is a process of encoding information in such a way that only authorized parties can access it, even if it is intercepted by a third party. Without encryption, sensitive data such as financial information, personal identification details, and medical records can be accessed, stolen, or misused by malicious actors. It is essential to encrypt sensitive data to ensure its confidentiality, integrity, and availability.

Example of vulnerable code on different programming languages:


in Python:

				
					import requests

username = "admin"
password = "secret123"

response = requests.post("https://example.com/login", data={"username": username, "password": password})

if response.status_code == 200:
    print("Login successful")
else:
    print("Login failed")

				
			

 

In this Python example, the username and password are sent over HTTP without being encrypted. Anyone intercepting the traffic can easily read the values, which is a major security vulnerability.

To fix this, HTTPS should be used instead of HTTP to encrypt the traffic and protect the sensitive data.

• in Java:

				
					import java.sql.*;

public class DatabaseConnection {
    private static final String URL = "jdbc:mysql://localhost:3306/mydb";
    private static final String USER = "root";
    private static final String PASSWORD = "root123";

    public static void main(String[] args) throws SQLException {
        Connection conn = DriverManager.getConnection(URL, USER, PASSWORD);
        // Perform database operations...
    }
}

				
			

 

In this Java example, the USER and PASSWORD values are stored in plain text, making it easy for anyone with access to the code to read them. If an attacker gains access to the code or the database, they can easily use the credentials to log in and access sensitive information.

To fix this, the credentials should be stored securely, such as in an encrypted configuration file or using environment variables.

• in PHP:

				
					<?php

$username = $_POST['username'];
$password = $_POST['password'];

// Database connection code here...

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) == 1) {
    echo "Login successful";
} else {
    echo "Login failed";
}
?>

				
			

 

In this PHP example, the username and password values are used directly in an SQL query without being properly sanitized or encrypted. This leaves the code vulnerable to SQL injection attacks, where an attacker can manipulate the query to access or modify sensitive data.

To fix this, the code should use prepared statements and parameterized queries to properly sanitize and encrypt the input values.

Examples of exploitation Missing encryption on sensitive data

Man-in-the-middle (MITM) attack:

In this attack, the attacker intercepts the communication between the client and the server and captures the unencrypted sensitive data. For example, an attacker can use a tool like Wireshark to capture the traffic and read the unencrypted credentials.

SQL injection attack:

In this attack, the attacker exploits the vulnerability in the code where the sensitive data is being used directly in an SQL query without proper sanitization or encryption. For example, an attacker can use a simple SQL injection technique to modify the SQL query and access or modify sensitive data.

Brute force attack:

In this attack, the attacker uses a tool to try different combinations of usernames and passwords until they find the correct ones. Since the sensitive data is not encrypted, the attacker can easily capture the credentials and use a tool like Hydra or Medusa to perform the brute force attack.

Insider threat:

In this attack, an insider with access to the unencrypted sensitive data can intentionally or unintentionally leak the data to unauthorized parties. For example, an employee with access to sensitive financial data can download the data and sell it to a competitor or hacker.

Data theft:

In this attack, the attacker gains unauthorized access to the system or network and steals the unencrypted sensitive data. For example, a hacker can use a tool like Metasploit to exploit a vulnerability in the system and gain access to the sensitive data.

Privilege escalation techniques for Missing encryption on sensitive data

Accessing the database directly:

If the sensitive data is stored in a database, an attacker can try to gain access to the database by exploiting vulnerabilities in the database management system. For example, the attacker can use SQL injection techniques to bypass the login credentials and gain direct access to the database, where the sensitive data is stored in plaintext.

Using credentials from other systems:

If the user credentials for accessing the system or network are reused on other systems or services, an attacker can try to use these credentials to gain access to the sensitive data. For example, if the user has used the same username and password for their email account, the attacker can try to gain access to the email account and retrieve the credentials for accessing the sensitive data.

Using memory dump analysis:

If the sensitive data is temporarily stored in the system memory, an attacker can use memory dump analysis tools to extract the plaintext data from the memory. For example, the attacker can use a tool like Volatility to dump the memory and search for sensitive data, such as passwords or encryption keys.

Exploiting vulnerabilities in other services:

If there are other services or systems that interact with the system or network where the sensitive data is stored, an attacker can try to exploit vulnerabilities in these services to gain access to the sensitive data. For example, if there is a vulnerable web application that interacts with the system, the attacker can exploit the vulnerability to gain access to the sensitive data.

General methodology and checklist for Missing encryption on sensitive data

Methodology:

  1. Identify the sensitive data: The first step is to identify the types of sensitive data that are stored, transmitted or processed by the system or network. This includes personal information, financial data, medical records, intellectual property, and other sensitive data.

  2. Identify the storage locations: The next step is to identify the storage locations where the sensitive data is stored, such as databases, file systems, and memory. It is important to identify all the locations where the sensitive data may be stored, including temporary files and backups.

  3. Identify the transmission channels: The third step is to identify the transmission channels used to transfer the sensitive data, such as network protocols, APIs, and web services. It is important to identify all the transmission channels to ensure that the sensitive data is protected during transfer.

  4. Assess the encryption mechanisms: The fourth step is to assess the encryption mechanisms used to protect the sensitive data. This includes assessing the strength of the encryption algorithm, key management, and the implementation of the encryption mechanism.

  5. Perform vulnerability testing: The fifth step is to perform vulnerability testing to identify vulnerabilities in the system or network that can lead to unauthorized access or disclosure of sensitive data. This includes testing for SQL injection, cross-site scripting, buffer overflow, and other vulnerabilities.

  6. Test access control mechanisms: The sixth step is to test the access control mechanisms used to protect the sensitive data. This includes testing user authentication, authorization, and role-based access control mechanisms.

  7. Perform penetration testing: The final step is to perform penetration testing to simulate attacks on the system or network and identify vulnerabilities that can be exploited to gain access to the sensitive data.

Checklist:

  1. Identify the types of sensitive data that are stored, transmitted, or processed by the system or network. This includes personal information, financial data, medical records, intellectual property, and other sensitive data.

  2. Identify the storage locations where the sensitive data is stored, such as databases, file systems, and memory. Identify all the locations where the sensitive data may be stored, including temporary files and backups.

  3. Identify the transmission channels used to transfer the sensitive data, such as network protocols, APIs, and web services. Identify all the transmission channels to ensure that the sensitive data is protected during transfer.

  4. Assess the encryption mechanisms used to protect the sensitive data. This includes assessing the strength of the encryption algorithm, key management, and the implementation of the encryption mechanism.

  5. Test whether the sensitive data is encrypted while stored in databases, file systems, or other storage locations. Verify that the data is not stored in plaintext.

  6. Test whether the sensitive data is encrypted during transmission between systems or networks. Verify that the data is not transmitted in plaintext.

  7. Test user authentication, authorization, and role-based access control mechanisms used to protect the sensitive data. Verify that only authorized users can access the sensitive data.

  8. Test the backup and recovery procedures used to protect the sensitive data. Verify that the backups are encrypted and securely stored, and that the recovery process is tested regularly.

  9. Test for vulnerabilities in the system or network that can lead to unauthorized access or disclosure of sensitive data. This includes testing for SQL injection, cross-site scripting, buffer overflow, and other vulnerabilities.

  10. Perform penetration testing to simulate attacks on the system or network and identify vulnerabilities that can be exploited to gain access to the sensitive data.

Tools set for exploiting Missing encryption on sensitive data

Manual Tools:

  • Burp Suite: A popular web application testing tool that can be used to identify and exploit vulnerabilities in web applications, including missing encryption on sensitive data. Burp Suite can intercept and modify HTTP requests and responses to test for vulnerabilities.

  • OpenSSL: A popular open-source cryptographic library that can be used to implement encryption and decryption algorithms, including symmetric and asymmetric encryption.

  • Wireshark: A popular network protocol analyzer that can be used to capture and analyze network traffic, including unencrypted sensitive data transmitted over the network.

  • SQLMap: A popular open-source tool used to identify and exploit SQL injection vulnerabilities in web applications.

  • Metasploit: A popular penetration testing framework that includes a wide range of tools and modules for testing network and system security, including exploiting missing encryption on sensitive data.

  • Nmap: A popular network exploration and vulnerability scanning tool that can be used to identify open ports and services on a target network, and to detect vulnerabilities that can lead to missing encryption on sensitive data.

  • Hashcat: A popular open-source password recovery tool that can be used to crack encrypted passwords and test the strength of encryption algorithms.

  • Hydra: A popular brute-force password cracking tool that can be used to test the strength of password-based authentication mechanisms.

  • John the Ripper: A popular password cracking tool that can be used to crack passwords encrypted using various algorithms, including MD5, SHA-1, and Blowfish.

  • Cain and Abel: A popular network sniffer and password cracking tool that can be used to test the strength of password-based authentication mechanisms and to identify vulnerabilities that can lead to missing encryption on sensitive data.

Automated Tools:

  • Nessus: A popular vulnerability scanner that can be used to identify vulnerabilities in web applications and network infrastructure, including missing encryption on sensitive data.

  • OpenVAS: A popular open-source vulnerability scanner that can be used to identify vulnerabilities in web applications and network infrastructure, including missing encryption on sensitive data.

  • OWASP ZAP: A popular open-source web application security testing tool that can be used to identify and exploit vulnerabilities in web applications, including missing encryption on sensitive data.

  • Acunetix: A popular web application security testing tool that can be used to identify and exploit vulnerabilities in web applications, including missing encryption on sensitive data.

  • Qualys: A popular cloud-based vulnerability management tool that can be used to identify vulnerabilities in web applications and network infrastructure, including missing encryption on sensitive data.

  • Nexpose: A popular vulnerability scanner that can be used to identify vulnerabilities in web applications and network infrastructure, including missing encryption on sensitive data.

  • Core Impact: A popular penetration testing tool that can be used to identify and exploit vulnerabilities in network and system infrastructure, including missing encryption on sensitive data.

  • Nikto: A popular open-source web server scanner that can be used to identify vulnerabilities in web applications, including missing encryption on sensitive data.

  • Retina: A popular vulnerability scanner that can be used to identify vulnerabilities in web applications and network infrastructure, including missing encryption on sensitive data.

  • IBM AppScan: A popular web application security testing tool that can be used to identify and exploit vulnerabilities in web applications, including missing encryption on sensitive data.

The Common Weakness Enumeration (CWE)

• CWE-311: Missing Encryption of Sensitive Data: This CWE covers situations where sensitive data is not encrypted during transmission or storage, making it vulnerable to unauthorized access or disclosure.

• CWE-319: Cleartext Transmission of Sensitive Information: This CWE covers situations where sensitive information is transmitted over a network or medium without being encrypted, making it vulnerable to interception and unauthorized access.

• CWE-321: Use of Hard-coded Cryptographic Key: This CWE covers situations where cryptographic keys are hard-coded into the software, making it easier for an attacker to access the sensitive data.

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm: This CWE covers situations where a weak or outdated cryptographic algorithm is used, making it easier for an attacker to decrypt the sensitive data.

• CWE-336: Same Seed in Pseudo-Random Number Generator (PRNG): This CWE covers situations where a pseudo-random number generator (PRNG) is used with the same seed, making it easier for an attacker to predict the random values generated and access the sensitive data.

• CWE-341: Predictable Cryptography: This CWE covers situations where the use of cryptography can be predicted by an attacker, making it easier to access the sensitive data.

• CWE-345: Insufficient Verification of Data Authenticity: This CWE covers situations where data authenticity is not sufficiently verified, making it easier for an attacker to modify the sensitive data without detection.

• CWE-347: Improper Verification of Cryptographic Signature: This CWE covers situations where cryptographic signatures are not properly verified, making it easier for an attacker to modify the sensitive data without detection.

• CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action: This CWE covers situations where a security-critical action relies on reverse DNS resolution, making it easier for an attacker to manipulate DNS records and access the sensitive data.

• CWE-379: Creation of Temporary Files With Insecure Permissions: This CWE covers situations where temporary files are created with insecure permissions, making it easier for an attacker to access the sensitive data stored in these files.

Top 10 CVES related to Missing encryption on sensitive data

• CVE-2022-30237 – A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

• CVE-2022-21951 – A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI value overridden This issue affects: SUSE Rancher Rancher versions prior to 2.5.14; Rancher versions prior to 2.6.5.

• CVE-2022-0183 – Missing encryption of sensitive data vulnerability in ‘MIRUPASS’ PW10 firmware all versions and ‘MIRUPASS’ PW20 firmware all versions allows an attacker who can physically access the device to obtain the stored passwords.

• CVE-2021-37050 – There is a Missing sensitive data encryption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.

• CVE-2021-36189 – A missing encryption of sensitive data in Fortinet FortiClientEMS version 7.0.1 and below, version 6.4.4 and below allows attacker to information disclosure via inspecting browser decrypted data

• CVE-2021-22782 – Missing Encryption of Sensitive Data vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions, that could cause an information leak allowing disclosure of network and process information, credentials or intellectual property when an attacker can access a project file.

• CVE-2020-7567 – A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Modicon M221 (all references, all versions) that could allow the attacker to find the password hash when the attacker has captured the traffic between EcoStruxure Machine – Basic software and Modicon M221 controller and broke the encryption keys.

• CVE-2020-28217 – A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.

• CVE-2020-28216 – A CWE-311: Missing Encryption of Sensitive Data vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to read network traffic over HTTP protocol.

• CVE-2020-14157 – The wireless-communication feature of the ABUS Secvest FUBE50001 device does not encrypt sensitive data such as PIN codes or IDs of used proximity chip keys (RFID tokens). This makes it easier for an attacker to disarm the wireless alarm system.

Missing encryption on sensitive data exploits

  • Heartbleed: This exploit targets OpenSSL, a widely used cryptographic library, and allows an attacker to read sensitive information from the memory of the affected server, including private keys and passwords.

  • Poodle: This exploit targets the SSLv3 protocol, allowing an attacker to decrypt data transmitted between a client and server.

  • BEAST: This exploit targets the SSL/TLS protocol, allowing an attacker to intercept and decrypt data transmitted between a client and server.

  • DROWN: This exploit targets servers that support SSLv2, allowing an attacker to decrypt data transmitted between a client and server.

  • Krack: This exploit targets the WPA2 protocol used in Wi-Fi networks, allowing an attacker to intercept and decrypt data transmitted over the network.

  • POODLE Attack Against TLS: This exploit targets the TLS protocol, allowing an attacker to decrypt data transmitted between a client and server.

  • BREACH: This exploit targets web applications that use HTTP compression, allowing an attacker to obtain sensitive information by analyzing the compressed responses.

  • Lucky 13: This exploit targets the CBC mode of operation used in TLS/SSL encryption, allowing an attacker to decrypt data transmitted between a client and server.

  • ROBOT: This exploit targets servers that support RSA encryption with PKCS #1 v1.5 padding, allowing an attacker to decrypt data transmitted between a client and server.

  • CRIME: This exploit targets web applications that use HTTP compression and TLS/SSL encryption, allowing an attacker to obtain sensitive information by analyzing the compressed responses.

Practicing in test for Missing encryption on sensitive data

Identify the sensitive data: Determine what data in the system is considered sensitive and should be encrypted, such as passwords, credit card numbers, or personal identifiable information.

Map data flows: Identify how the sensitive data flows through the system, including where it is stored, transmitted, and processed.

Review code and configuration: Of the system to identify areas where encryption is necessary, such as network communication or storage.

Use automated tools: Like vulnerability scanners or web application scanners to identify potential vulnerabilities related to missing encryption on sensitive data.

Test manually: Perform manual testing by attempting to intercept sensitive data during network communication, attempting to access sensitive data in storage, or attempting to modify data in transit.

Verify encryption: Verify that the encryption is applied correctly and the data is adequately protected, such as by reviewing encryption algorithms, key lengths, and proper usage.

Document findings: Document any vulnerabilities or weaknesses found during testing, including their severity, potential impact, and recommendations for remediation.

Retest: After any remediation has been completed, retest to ensure that the vulnerabilities have been adequately addressed

For study Missing encryption on sensitive data

OWASP Top Ten: The OWASP Top Ten is a list of the most critical web application security risks, and includes missing encryption on sensitive data as one of the top ten risks.

NIST Cybersecurity Framework: The NIST Cybersecurity Framework provides guidance on how to manage cybersecurity risk, including the need for encryption to protect sensitive data.

SANS Institute: The SANS Institute provides training and certification programs in information security, including courses on cryptography and secure coding practices.

Online courses: Websites like Coursera, Udemy, and edX offer online courses in information security, cryptography, and secure coding practices.

Books: There are many books on information security, cryptography, and secure coding practices, such as “Cryptography Engineering: Design Principles and Practical Applications” by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno, and “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto.

Conferences: Attend cybersecurity conferences like Black Hat, DEF CON, and RSA to learn about the latest trends and research in information security.

Vulnerability databases: Explore vulnerability databases like CVE and NVD to learn about recent vulnerabilities related to missing encryption on sensitive data.

Books with review of Missing encryption on sensitive data

Cryptography Engineering: Design Principles and Practical Applications by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno – This book covers the principles of cryptography and how to apply them to real-world applications.

The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice by Jason Andress – This book provides an introduction to information security concepts, including encryption and data protection.

Web Application Security, A Beginner’s Guide by Bryan Sullivan and Vincent Liu – This book covers web application security topics, including secure coding practices and data encryption.

Securing SQL Server: Protecting Your Database from Attackers by Denny Cherry – This book focuses on securing SQL Server databases, including encrypting sensitive data.

Threat Modeling: Designing for Security by Adam Shostack – This book covers threat modeling techniques to identify and mitigate security risks, including risks related to missing encryption on sensitive data.

Python Penetration Testing Cookbook: Practical recipes on implementing information gathering, network security, intrusion detection, and post-exploitation by Rejah Rehim – This book provides practical examples of how to test for vulnerabilities related to missing encryption on sensitive data using Python.

Hacking: The Art of Exploitation by Jon Erickson – This book covers the basics of hacking, including how to identify and exploit vulnerabilities related to missing encryption on sensitive data.

Data Protection: Ensuring Data Availability by Richard Kissel – This book covers data protection techniques, including encryption and backup strategies.

Computer Security Handbook by Seymour Bosworth, M.E. Kabay, and Eric Whyne – This book covers a wide range of computer security topics, including cryptography and data protection.

The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich – This book covers network security monitoring techniques, including how to identify and respond to incidents related to missing encryption on sensitive data.

List of payloads Missing encryption on sensitive data

  • Submitting sensitive data (such as credit card numbers or social security numbers) via unencrypted HTTP requests.

  • Submitting data with SQL injection payloads to test if data is properly encrypted before being stored in a database.

  • Using password cracking tools (such as John the Ripper or Hashcat) to test the strength of password encryption.

  • Attempting to intercept and read data transmitted over unencrypted channels (such as unsecured Wi-Fi networks) using packet sniffers like Wireshark.

  • Attempting to access sensitive files or databases stored on a server without proper encryption in place.

Mitigations for Missing encryption on sensitive data

  1. Use strong encryption algorithms: Use strong encryption algorithms to protect sensitive data both at rest and in transit. Ensure that the keys are securely managed and regularly rotated.

  2. Implement access controls: Use access controls to limit access to sensitive data only to authorized individuals and systems. Use role-based access control to restrict access based on job responsibilities.

  3. Implement data loss prevention (DLP) measures: Implement DLP measures to detect and prevent unauthorized access or data exfiltration of sensitive data.

  4. Implement security monitoring: Use security monitoring tools to detect anomalous activities, such as unauthorized access attempts or data exfiltration.

  5. Regularly update software and systems: Keep software and systems up to date with the latest security patches to reduce the risk of exploitation.

  6. Use secure coding practices: Use secure coding practices when developing software to ensure that sensitive data is properly encrypted.

  7. Use multi-factor authentication: Require multi-factor authentication to access sensitive data to reduce the risk of unauthorized access.

  8. Conduct regular security testing: Regularly test for vulnerabilities related to missing encryption on sensitive data, and promptly remediate any vulnerabilities that are discovered.

Conclusion

Missing encryption on sensitive data can lead to serious security breaches and data loss. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information, which can result in financial loss, damage to reputation, and legal repercussions. Therefore, it is important to take proactive measures to protect sensitive data, including implementing strong encryption algorithms, access controls, security monitoring, and regular security testing. By doing so, you can reduce the risk of vulnerabilities related to missing encryption on sensitive data and safeguard your organization’s valuable information.

Other Services

Ready to secure?

Let's get in touch