[ECODP-dev] EC ODP New tickets wrt security

Wed Dec 12 14:32:17 UTC 2012

Hi Darwin,

2012/12/12 Darwin Peltan <darwin.peltan at okfn.org>:
> Hi,
>
> We've had a look at these tickets and have the following comments.
>
> User reset and list of users
>
> We’ll remove the password reset functionality. (Ops manual would need to
> give users contact details for an admin who can reset their password)
> We'll remove the list of users (note this isn't really a security issue,
> most webapps expose the users username e.g. twitter, github etc)
>
>
> Limiting the rate of login attempts
>
> We would suggest limiting the amount of attempts that one IP address can
> make via Nginx. This would make a brute force attack very slow. I.e. one
> login attempt per second per IP. 10F can set this in the NginX config using
> this module http://wiki.nginx.org/HttpLimitReqModule
> As a second step the EC should monitor if certain IP's are making excessive
> failed login attempts
> The EC can also improve security by choosing strong passwords when creating
> user accounts. There is no limit on the password length so they could follow
> best practice and give users passphrases (with capitalisation/special
> characters etc) rather than single word passwords. This would make a brute
> force attack very difficult.
>
> John works from Monday to Wednesday so he will start work on removing the
> user reset and the list of users next week. However with the meeting on
> Wednesday we probably won't be able to provide a new release until January.
>

> Bert - I'm afraid we weren't quite clear what the issue was that you
> referred to in your email about restricting access to the API. Is everything
> consistent with this document?
> https://docs.google.com/folder/d/0B8mD0VAT9tXFOWJaQVMzbGpjcUU/edit?docId=1DiUoIprVorP4_4umSy4LnjedegSmuI62tBH6jucS0jE
>
I tried the instructions of that document, but the result was that I
was still able to execute all curl calls.

kind regards,

Bert

>
> Best,
>
> Darwin
>
> Darwin Peltan
> Project Manager
>
> The Open Knowledge Foundation
> http://www.okfn.org
>
> Skype: darwinp
> Twitter: @darwin
>
>
>
> On 11 December 2012 12:00, Bert Van Nuffelen
> <bert.van.nuffelen at tenforce.com> wrote:
>>
>> Hi John and Darwin,
>>
>> sorry for not providing you the next feedback earlier.
>> Ian has provided us some nginx configurations (see some google doc)
>> for the case ODP-160 & ODP-161 but from my little experiment I could
>> not lock the api.
>> Maybe something additional has to be done.
>>
>> Bert
>>
>>
>> 2012/12/11 Bastiaan Deblieck <bastiaan.deblieck at tenforce.com>:
>> > Hello,
>> >
>> > The PO created 3 tickets yesterday wrt security.
>> >
>> > Please have a look. And send feedback.
>> >
>> > Thanks,
>> > Bastiaan
>> >
>> > -----
>> >
>> > Security weakness with Login feature
>> >
>> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-160
>> >
>> > URL: https://webgate.ec.europa.eu/open-data/data/user/reset
>> >
>> > The text field allows wildcard characters like * and ? so that you can
>> > easily find valid usernames. A nonexistent user gives a user not found
>> > message, a valid user gives an internal server error message.
>> >
>> > After finding a valid user, one can proceed to
>> > https://webgate.ec.europa.eu/open-data/data/user/login and launch a
>> > brute
>> > force script to try as many passwords as possible because there is not
>> > security mechanism against brute force attacks in place.
>> >
>> > List of users is publicly visible
>> >
>> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-161
>> >
>> > URL: https://webgate.ec.europa.eu/open-data/data/user
>> >
>> > ODP has a publicly available list of valid accounts published on the
>> > website. As this list is not supposed to be known to everybody, this is
>> > a
>> > clear security weakness and would be a great support to hacking for
>> > finding
>> > how to get in (see also in ODP-160)
>> >
>> >
>> > Access blocked to the entire EC after only few unsuccessful login
>> >
>> > https://webgate.ec.europa.eu/publications/jira/browse/ODP-162
>> >
>> > URL: https://webgate.ec.europa.eu/open-data/user
>> >
>> > After only few (unsuccessful) login, drupal blocks the IP address for 1
>> > hour. In case of the EC network, or any other large organization that
>> > uses a
>> > gateway/proxy with only a single IP address visible to the outside
>> > world,
>> > the whole organization will be blocked
>> >
>> >
>> >
>> > --
>> > Bastiaan Deblieck
>> > Semantic Technology Business Unit Manager
>> >
>> > http://www.tenforce.com/
>> > T: +32 16 31 48 60
>> > M:+32 475 95 49 32
>> >
>>
>>
>>
>> --
>> Bert Van Nuffelen
>>
>> Semantic Technologies Software Architect at TenForce
>> www.tenforce.be
>>
>> Bert.Van.Nuffelen at tenforce.com
>> Office: +32 (0)16 31 48 60
>> Mobile:+32 479 06 24 26
>> skype: bert.van.nuffelen
>
>

-- 
Bert Van Nuffelen

Semantic Technologies Software Architect at TenForce
www.tenforce.be

Bert.Van.Nuffelen at tenforce.com
Office: +32 (0)16 31 48 60
Mobile:+32 479 06 24 26
skype: bert.van.nuffelen