New AUSKF Membership Management System Security Thread
(summary of Jan'17 emails between
subject: New AUSKF Membership Website Security Concerns
---------- Forwarded message ----------
Dear Yoshida sensei, Travis, and Steve,
I know you are probably very, very busy working on the new membership database system, and thank you very much for all your efforts!
We had our monthly SCKF Board of Directors meeting last Saturday, and one of the BoD members, Daniel Ouellette, raised some concerns that I hadn't considered. I asked him to write them up so we could pass them on to you asap; please see attached.
Per our conversation at the SCKF board meeting I wanted to raise some concerns regarding the new AUSKF membership website. I'm very excited that the federation is entering the digital age, however, it's important that it do so with necessary caution. As an Information Security professional, I'm very aware of these risks and I'm attempting to help the Federation by identifying, and offering recommendations, before the website goes live.
As always, Security has to be balanced with usability. This is offered only as a high-level list of security risks. In general, risks can either be mitigated (by fixing the vulnerabilities), transferred (such as by purchasing insurance), or accepted. It's up to the federation and the developers to weigh those risks with the other requirements for the project and then decide how to handle them. Not being aware of all the design requirements, I may have inadvertently identified items that are not applicable. I'd be more than happy to discuss any of the items in the above list.
- The new website will be collecting a large amount of Personally Identifiable Information (PII) from a large membership base. It will be necessary to know where, geographically, the population is drawn from as each jurisdiction has different requirements. Should there be a breach, different jurisdictions have differing definitions of what constitutes a breach, what triggers breach notifications and what timelines must be adhered to. It's good to know this ahead of time rather than having to figure it out after a breach occurs. Being a US-based organization, I assume it will only have American users. However, if it has PII from foreign citizens, the countries where they reside may also have differing laws.
Should a breach occur we have a plan in place to notify the members of the event and a fail safe mechanism that requires a password reset with email verification upon next access to the website.
- Separate, but similar to the above, is the necessary data handling laws. Within the US, you're pretty safe. However, if data is collected on foreign citizens, the data collection laws for those locations will need to be followed.
We are currently following industry recognized standards for data security and in many cases exceeding these standards.
- The type of data that's collected will need to be examined. If it contains any data types that could be considered protected health information, additional data protection requirements may apply. I believe that as AUSKF is not a health provider, school/university, or health clearing house, that these requirements probably don’t apply.
The law you are referring to is called HIPPA (Health Insurance Portability and Accountability Act of 1996). We do not collect, store analyze or make available storage of any data that falls under the HIPPA category.
- The data being collected may be for members that are under the age of 13. I know that data regarding minors must be handled carefully, and believe (though I'm not positive) that people under the age of 13 have additional requirements.
The law you are referring to is called the Children's Online Privacy Protection Act enacted in 1998. This law applies to the operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience (we fall under this identifier) websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What does this mean for the usage model where a dojo representative registers some or all of their dojo members?
This is a special case. If the dojo representative wishes to register all members we will need explicit consent from the legal guardian. This can be achieved at the dojo level via parental consent or unfortunately we will need the guardian to actually register their children. This is because the law does not allow us to knowingly store even temporary data for children under 13.
If the dojo rep that is doing the registration has a contact email for the parents then during registration we can offer to notify the guardian/parent in an email and provide a link for them to follow to complete the registration process. This is not current functionality, however I can make this happen in short order.
- Special care must be taken to harden the website against attack. Here are some recommendations.
- Enable HTTPS for the website and redirect all traffic to use HTTPS. The HTTP port should only be used to redirect traffic to the secure site.
- Use an SSL certificate to secure the website. Using a certificate from a known Certificate Authority will cause the "lock" on the browser to show that the connection is secure without displaying a warning dialog about an "unauthenticated or self-signed certificate". There are low-cost and free SSL certs available (e.g. https://letsencrypt.org).
All traffic to the site is being done over SSL. We have a 2048 bit SHA-2 cert purchased specifically for this site, serial number: c5:57:01:8c:23:f2:1f:db issued by godaddy.com whom is in the global trust.
- Use encryption on the data at rest. If the site is breached, you don't want the hackers having full access to all members' data.
We are currently not encrypting all data as this is not only not necessary, it is not considered a breach of confidence or requirement by the FTC and has been determined to fall under the category of onerous requirements with dubious value.
- Be aware of common vulnerabilities when coding. I use the OWASP Top 10 as a good starting point (https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf). This is an Open Source project which attempts to identify the most common vulnerabilities and is updated (about) every 3 years. 2013 is the latest update. Of particular concern are cross-site scripting and SQL injection vulnerabilities. These can both be mitigated with adequate user input filtering and validation.
Thank you for the recommendation, we are quite familiar with this work and have actually contributed in the past to this project.
Regarding cross-site scripting aka XSS, we do not allow the posting of any potentially hazardous information that could then be displayed to another user. This is accomplished through a layered system of security starting with the generation of anti-forgery tokens during form submission that must match on the server, and also disallowing the posting and processing of any text that could be interpreted at runtime by any browser as script. ASP.Net and IIS by default do not allow dangerous text to be posted, this is the default behavior as of version 6 (we are using version 8). In addition to the anti-forgery and built in protections, we also http-encode form data with strips out any characters that could be used for an XSS attack. And finally, we do not display any user generated content other than user information to the logged in user .
- Don't handle financial data unless absolutely necessary. The requires compliance with additional Payment Card Industry - Data Security Standards (PCI-DSS). Instead, it would be better to have a link that allows people to pay via Paypal or similar processor.
We are completely PCI (Payment Card Industry) compliant. https://www.pcicomplianceguide.org/pci-faqs-2/ Not only do we not collect and store any financial information, we never have any financial information even transmitted to our servers. We use a third party financial service that through an encrypted connection communicates directly to the end user to gather any needed information. This service then processes this information and provides us (the membership site) with a one use, short lived (1 minute) token which we can submit back to the service to request a charge that has been previously (either one time or recurring at the user's discretion) authorized by the end user to the third party financial institution. As such no sensitive information is stored either in persistent, durable or volatile storage on our site or accessed by our code base.
- If financial data is kept, encrypt everything and keep it separate from the PII of the members.
- Have a penetration test or vulnerability assessment performed. Using the same methods a malicious hacker uses, the pen tester will attempt to break into the application and exfiltrate data. The "White-Hat" hacker can then explain what the vulnerabilities were and how to fix them.
We currently are actively doing this.
- Get cyber-insurance. It's becoming common for insurers to exclude cyber as part of their liability coverage. Check the AUSKF policy. Even a "small" breach can be very expensive.
- Get AUSKF lawyers involved. Stories of data breaches continue to show up in the news. Knowing, ahead of time, what to do in the event of a breach can greatly speed the recovery and reduce costs. Getting the lawyers to help identify the data protection laws involved and create incidence response plans can help minimize future potential costs.
I hope I did not unnecessarily frighten the federation away from implementing a website. I think using the old spreadsheets were cumbersome and look forward to using a more modern tool. I just wanted provide some feedback that could help the federation avoid future embarrassment and/or expenses.
Thank you for your time.
Daniel Ouellette, CISSP
These are great conversation points. Just for background, I am the senior developer and team lead for the State of Minnesota TIES (http://ties.k12.mn.us/) Fee payment systems. We create online software for use by school districts to do online payment processing as well as health information tracking for school activities. As such I encounter these concerns frequently as we deal with what is possibly the most legislatively sensitive data a website could potentially handle.I mention this to assuage any fears that this data is not being handled in a secure manner by professional developers.
TIES US. MN.EDU
Thank you for such a prompt and thorough response. This greatly eases my mind concerning the website development and I'm glad to see that these issues are already being actively discussed and addressed by the developers. Given that the appear to be well versed in PCI compliance, COPA, and other relevant regulations, I don't see any reason to be overly concerned with the implementation. My only remaining recommendation would be to enlist the help of some penetration testers or the use of a vulnerability scanner during the QA to validate the implementation. Otherwise, I think this looks great. Again, thanks for addressing our concerns.
Daniel Ouellette, CISSP
Also see main thread.
- 1/14/17: Jan SCKF BoD meeting, continue discussion from Dec 12/3/16
meeting re AUSKF new fees and membership system
- 1/16-18/17: above email thread
- 2/4/17: Feb SCKF BoD meeting, continue discussion from Jan meeting,
including the above thread
- 2/5/17: send request letter to AUSKF including
unanswered concerns from the above thread
- 2/24/17: send 2nd letter to AUSKF including
jurisdiction (state law) concerns from the above thread
Note: history first added 2/14/17, then updated as events occurred.
SCKF home page