[ECODP-dev] EC ODP New tickets wrt security

Darwin Peltan darwin.peltan at okfn.org
Wed Dec 12 13:15:36 UTC 2012 

Hi,

We've had a look at these tickets and have the following comments.

User reset and list of users


   - We’ll remove the password reset functionality. (Ops manual would need
   to give users contact details for an admin who can reset their password)
   - We'll remove the list of users (note this isn't really a security
   issue, most webapps expose the users username e.g. twitter, github etc)


Limiting the rate of login attempts


   - We would suggest limiting the amount of attempts that one IP address
   can make via Nginx. This would make a brute force attack very slow. I.e.
   one login attempt per second per IP. 10F can set this in the NginX config
   using this module http://wiki.nginx.org/HttpLimitReqModule
   - As a second step the EC should monitor if certain IP's are making
   excessive failed login attempts
   - The EC can also improve security by choosing strong passwords when
   creating user accounts. There is no limit on the password length so they
   could follow best practice and give users passphrases (with
   capitalisation/special characters etc) rather than single word passwords.
   This would make a brute force attack very difficult.

John works from Monday to Wednesday so he will start work on removing the
user reset and the list of users next week. However with the meeting on
Wednesday we probably won't be able to provide a new release until January.

Bert - I'm afraid we weren't quite clear what the issue was that you
referred to in your email about restricting access to the API. Is
everything consistent with this document?
https://docs.google.com/folder/d/0B8mD0VAT9tXFOWJaQVMzbGpjcUU/edit?docId=1DiUoIprVorP4_4umSy4LnjedegSmuI62tBH6jucS0jE


Best,

Darwin

Darwin Peltan
Project Manager

The Open Knowledge Foundation
http://www.okfn.org

Skype: darwinp
Twitter: @darwin



On 11 December 2012 12:00, Bert Van Nuffelen <bert.van.nuffelen at tenforce.com
> wrote:

> Hi John and Darwin,
>
> sorry for not providing you the next feedback earlier.
> Ian has provided us some nginx configurations (see some google doc)
> for the case ODP-160 & ODP-161 but from my little experiment I could
> not lock the api.
> Maybe something additional has to be done.
>
> Bert
>
>
> 2012/12/11 Bastiaan Deblieck <bastiaan.deblieck at tenforce.com>:
> > Hello,
> >
> > The PO created 3 tickets yesterday wrt security.
> >
> > Please have a look. And send feedback.
> >
> > Thanks,
> > Bastiaan
> >
> > -----
> >
> > Security weakness with Login feature
> >
> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-160
> >
> > URL: https://webgate.ec.europa.eu/open-data/data/user/reset
> >
> > The text field allows wildcard characters like * and ? so that you can
> > easily find valid usernames. A nonexistent user gives a user not found
> > message, a valid user gives an internal server error message.
> >
> > After finding a valid user, one can proceed to
> > https://webgate.ec.europa.eu/open-data/data/user/login and launch a
> brute
> > force script to try as many passwords as possible because there is not
> > security mechanism against brute force attacks in place.
> >
> > List of users is publicly visible
> >
> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-161
> >
> > URL: https://webgate.ec.europa.eu/open-data/data/user
> >
> > ODP has a publicly available list of valid accounts published on the
> > website. As this list is not supposed to be known to everybody, this is a
> > clear security weakness and would be a great support to hacking for
> finding
> > how to get in (see also in ODP-160)
> >
> >
> > Access blocked to the entire EC after only few unsuccessful login
> >
> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-162
> >
> > URL: https://webgate.ec.europa.eu/open-data/user
> >
> > After only few (unsuccessful) login, drupal blocks the IP address for 1
> > hour. In case of the EC network, or any other large organization that
> uses a
> > gateway/proxy with only a single IP address visible to the outside world,
> > the whole organization will be blocked
> >
> >
> >
> > --
> > Bastiaan Deblieck
> > Semantic Technology Business Unit Manager
> >
> > http://www.tenforce.com/
> > T: +32 16 31 48 60
> > M:+32 475 95 49 32
> >
>
>
>
> --
> Bert Van Nuffelen
>
> Semantic Technologies Software Architect at TenForce
> www.tenforce.be
>
> Bert.Van.Nuffelen at tenforce.com
> Office: +32 (0)16 31 48 60
> Mobile:+32 479 06 24 26
> skype: bert.van.nuffelen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20121212/76ad9fa1/attachment.html>

More information about the ecodp-dev mailing list