Menu Apply

Basic Levels of Security

Basic Levels of Security  

  By: rdbrown(Asgardian) on 17 June 2017, 6:30 p.m.

My initial observations are that there is plenty of room for improvement regarding basic security.

I'll try to refrain from turning my first post into a rant of ALL observations, but I will start with a few things very basic.

> User Authentication: The initial registration process does not allow the user to set a password of their choice. This is okay, but the initial password (which is emailed so should not be considered secure) needs to be changed at first login. In fact registration should time-out and not considered valid until this initial password has been changed, limiting access to only the completion of the registration process. NOTE: Voting is allowed prior to the completion and verification of the registration process. This can make the voting process invalid as it is not required to validate registration from a unique email address prior to voting.

Two factor authentication also needs to be at least an option. Many people tend to re-use passwords or have very week passwords. Also the fact is that some Asgardians subscribe to many forms of public media sites whilst using the same username and password; if any of those sites become compromised the use of a static password becomes a problem. Multiple forms of two factor authentication exist therefore there should be multiple options (YubiKey, Duo, Authy, Onlykey, etc. )

> Password Storage: Simply put; the following should be a guideline -https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

> Data at rest/transit/use: Data needs to be encrypted in a way which prevents all or parts of data in a database from being exposed if compromised. One solution that may be considered is ZeroDB / NuCypher.

Asgardia, if not already, will be a target by not only drive by attackers but also Nation State actors. Due diligence will need to be adapted as soon as possible to ensure current and digital security. Espionage, sabotage and drive-by attacks will be some of the purposes for Asgardia to come under digital attack. We must be ready.

Other parts of this same discussion:

> Security Auditing and Penetration Testing need to be scheduled on a regular basis and need to be built into pre-release process of all public and private networks and applications.

Re: Basic Levels of Security  

  By: brian trulove(Asgardian) on 20 June 2017, 7:52 p.m.

Agree on all of your points. The lack of ability to change passwords coupled with it being sent in clear text via email is concerning. Really makes me question the rest of the security practices such as encrypted storage, salting, etc. How secure is the database that's used to store the personal information collected during registration? A potential SQL injection attack and you've given up information on 200,000+ people.

Re: Basic Levels of Security  

  By: NikitaRudnev(Asgardian) on 22 June 2017, 5:54 p.m.

You can not just assess the security of the database. To avoid any leakage, it is necessary to regularly check all the parameters for safety, and I think that this kind of scanning should be carried out by a group of specialists, rather than 1 person, since this is, in part, a creative work and every specialist has His own individual approach.

And do not forget that SQL is not the only possible vulnerability, potential vulnerabilities are complete, and scanning should occur REGULARLY!

Re: Basic Levels of Security  

  By: trqx(Asgardian) on 27 June 2017, 9:46 a.m.

Fully agreed, I find this concerning and should be a top priority topic.

I hope the whole asgardia tech stack will be fully publicly auditable in the future.

Re: Basic Levels of Security  

  By: Chris Pavlis(Asgardian, Candidate) on 27 June 2017, 2:54 p.m.

Agreed, if he's sending passwords out in cleartext then he's storing them similarly, we may need to replace the current coder(s)

Re: Basic Levels of Security  

  By: Levinor(Asgardian) on 10 August 2017, 11:07 a.m.

I agree.

Do we know who is responsible for the digital security of Asgardia? Is She/He reading this? I think it would be a good idea to form a group af digital security to test and improve the level of security we have.

Re: Basic Levels of Security  

  By: Chris Pavlis(Asgardian, Candidate) on 30 October 2017, 6:20 a.m.

https://asgardia.space/en/petitions/17778-hackathon-3901-voting-system/