« Return to Thread: Questions on TroopMaster DotNet Security
Re: Re: Questions on TroopMaster DotNet Security
by Zachary Heaton-2
::
Rate this Message:
On 26 May 2009, at 18:53, Matt Price wrote:
>> DotNet license to supplement our existing Troopmaster license. I'm
>> concerned about the security implications of regularly transmitting
>> Troop personal data across the Internet
>
> Historically, most of the data that gets lifted is not that being
> transmitted electronically. It is the information in the trash can or
> in other peoples hands that commonly become an issue of pilfering.
Historically, yes. However, this trend is changing. If you take a
look at the Verizon 2008 data breach report (a fascinating read), over
the past four years physical access was only an attack pathway in 21%
of data breaches. The big winners are remote access and control
software (42%), web applications (34%), trailed by internet-facing
systems (24%).
Of further interest is Verizon's breakdown of information channels
which were attacked - online data was involved in 93% of the breaches
they studied, offline data in 7%, and end-user devices in 7%. This
correlates with intuition suggesting that repositories with more data
are more likely to be attacked.
<http://www.verizonbusiness.com/resources/security/databreachreport.pdf>
Applying this thinking to TroopMaster, this suggests that the DotNet
storage servers are the "mother load" and the most likely attack
target, since they would give the best return for an attacker's
investment.
>> TroopMaster has a "data encryption password" which is set per user
>> and I assume is used for sftp/ssl/tls transmissions. My
>> memory is that its advertized that you can just change this password
>> to disable people when they leave the troop, and not
>> change the other passwords.
>
> Unless my memory fails me, all information is transmitted via dot
> net to
> secure servers, which is then translated and replicated with Scoutnet
> servers.
It's the definition of "secure servers" that has me worried - if the
communications with the servers are not encrypted, then the servers
aren't all that secure. Can anyone with DotNet and a copy of
WireShark (or detailed firewall logs) confirm whether or not the
DotNet traffic is encrypted? <http://www.wireshark.org/>
Additionally, vulnerabilities in the FTP servers could expose the
service to attack - e.g, the recent ProFTPD SQL injection
vulnerability. <http://isc.sans.org/diary.html?storyid=5845>
I honestly wouldn't worry about the server security as much if there
weren't phrases in the TroopMaster marketing materials about "we don't
release the actual location of the server to anyone" If they're
talking about hiding the server IP address, then this is a)
nonsensical and b) displays a fundamental lack of understanding of how
the Internet works. This does not give me a great deal of confidence
in the security of TroopMaster's server configuration, and I really
hope that the person who wrote that ad copy is not the server admin.
As for the ScoutNet servers, I hadn't seen that one before - if the
data is synchronized with ScoutNet automatically, then that's another
attack surface to secure.
>> We do NOT keep social security numbers in the database. Only needed
>> to do for one time background checks on adults, I've seen no uses for
> them for
>> Scouts, and refused to give them for my boys. But the field is
>> there...
>
> Social Security numbers for the sake of the unit are not needed. In
> fact, Social Security numbers for national are really not needed
> because
> 100% of all criminal background checks are done by name and birthdate.
Agreed wholeheartedly - I'm not certain why National puts them on the
adult application as "required," but I have not desire to store them
myself.
Yours in Scouting,
Zach Heaton
>> DotNet license to supplement our existing Troopmaster license. I'm
>> concerned about the security implications of regularly transmitting
>> Troop personal data across the Internet
>
> Historically, most of the data that gets lifted is not that being
> transmitted electronically. It is the information in the trash can or
> in other peoples hands that commonly become an issue of pilfering.
Historically, yes. However, this trend is changing. If you take a
look at the Verizon 2008 data breach report (a fascinating read), over
the past four years physical access was only an attack pathway in 21%
of data breaches. The big winners are remote access and control
software (42%), web applications (34%), trailed by internet-facing
systems (24%).
Of further interest is Verizon's breakdown of information channels
which were attacked - online data was involved in 93% of the breaches
they studied, offline data in 7%, and end-user devices in 7%. This
correlates with intuition suggesting that repositories with more data
are more likely to be attacked.
<http://www.verizonbusiness.com/resources/security/databreachreport.pdf>
Applying this thinking to TroopMaster, this suggests that the DotNet
storage servers are the "mother load" and the most likely attack
target, since they would give the best return for an attacker's
investment.
>> TroopMaster has a "data encryption password" which is set per user
>> and I assume is used for sftp/ssl/tls transmissions. My
>> memory is that its advertized that you can just change this password
>> to disable people when they leave the troop, and not
>> change the other passwords.
>
> Unless my memory fails me, all information is transmitted via dot
> net to
> secure servers, which is then translated and replicated with Scoutnet
> servers.
It's the definition of "secure servers" that has me worried - if the
communications with the servers are not encrypted, then the servers
aren't all that secure. Can anyone with DotNet and a copy of
WireShark (or detailed firewall logs) confirm whether or not the
DotNet traffic is encrypted? <http://www.wireshark.org/>
Additionally, vulnerabilities in the FTP servers could expose the
service to attack - e.g, the recent ProFTPD SQL injection
vulnerability. <http://isc.sans.org/diary.html?storyid=5845>
I honestly wouldn't worry about the server security as much if there
weren't phrases in the TroopMaster marketing materials about "we don't
release the actual location of the server to anyone" If they're
talking about hiding the server IP address, then this is a)
nonsensical and b) displays a fundamental lack of understanding of how
the Internet works. This does not give me a great deal of confidence
in the security of TroopMaster's server configuration, and I really
hope that the person who wrote that ad copy is not the server admin.
As for the ScoutNet servers, I hadn't seen that one before - if the
data is synchronized with ScoutNet automatically, then that's another
attack surface to secure.
>> We do NOT keep social security numbers in the database. Only needed
>> to do for one time background checks on adults, I've seen no uses for
> them for
>> Scouts, and refused to give them for my boys. But the field is
>> there...
>
> Social Security numbers for the sake of the unit are not needed. In
> fact, Social Security numbers for national are really not needed
> because
> 100% of all criminal background checks are done by name and birthdate.
Agreed wholeheartedly - I'm not certain why National puts them on the
adult application as "required," but I have not desire to store them
myself.
Yours in Scouting,
Zach Heaton
« Return to Thread: Questions on TroopMaster DotNet Security
| Free embeddable forum powered by Nabble | Forum Help |
