Why would you use Vega’s Secure Web Portal for your real-time online web presence?
Vega have spent more than 20 years developing Sirius, our online portal. It has been designed from the ground up with security in mind.
Would you like to give your clients better online services but are worried about the risk of data leaks? Can you tell whether an online offering is secure and robust, let alone know whether it’s even affordable? With the new GDPR regulations it is not surprising that some people are fearful about opening up their data to others via the internet. Here are some things to consider:
- Brute force password attack
- Stolen Password
- Stolen Database
- Key Logging or Network Traffic Interception (Man in the Middle)
- SQL Injection
- URL Manipulation
How does Sirius address these?
Brute force password attack
This is where a hacker simply tries millions of usernames and passwords. This is partly how iCloud was compromised and images of celebrities stolen. Sirius defends against this by locking out any account that has a small number of failed login attempts in a row.
If a user’s password is compromised somehow Sirius can still defend against unauthorised access. Sirius supports Memorable Words, Two Factor Authentication using Google Authenticator and also Vasco One Time Passwords and Challenge Response verification making Sirius suitable for hosting online payment solutions.
Let’s say a hacker succeeds in stealing a Sirius database with user credentials in it. Could they use the information to get into the online system?
Sirius defends against this by avoiding storing passwords at all. Sirius stores a cryptographic hash of the password. This hash is salted to prevent the use of rainbow tables. A rainbow table is a huge database of precomputed hashes for millions of passwords that a hacker can simply look up to determine what the password is. By adding a random string of characters (the salt) to the beginning of the password and then calculating the hash, the size of the rainbow table necessary is rendered too enormous to be of practical value.
Key Logging or Network Traffic Interception (Man in the Middle)
This is where a hacker installs software on a user’s PC to record keystrokes or views the data transmitted between the user’s browser the online server by monitoring the traffic. In both cases the hacker can look through the recorded text to find a regularly repeated string of characters. This could be a username and the current password. Sirius uses the concept of a Memorable Word. The user is asked for two or three characters from the Memorable Word. The whole word is never typed in. This makes determining the Memorable Word much more difficult.
Another way Sirius defends against Man in the Middle attacks is through the use of One Time Passwords. Every time Sirius exchanges data between the user’s browser and the online server Sirius sends out a unique One Time Password or OTP. It looks like this:
When the browser sends back the next request it sends the OTP with it. Sirius then checks that the OTP is the same. If not, the user is logged out immediately. This makes it very, very hard to hijack a user’s session.
This is being reported as the attack used to steal information from TalkTalk. This consists of a hacker manipulating the user interface to add their own database queries to the ones being legitimately used by the application.
Sirius defends against SQL Injection attacks in a number of ways:
- Avoids dynamic SQL strings so there’s never any possibility of a database query being amended.
- Sirius exclusively uses Stored Procedures to query the database
- User inputs are scanned for SQL scripting commands
- Lowest possible access privileges for the Windows Domain account that queries the SQL database. The user account only has rights to execute the Stored Procedures it needs – access to other database structures are disallowed.
The above denies attackers the ability to steal data online even if they have managed to obtain user credentials.
This is where a hacker who has legitimate credentials to log on to the system changes parameter values in the browser’s URL string in an attempt to access information not properly available to them. Sirius defends against this through user session validation. When a user logs on, a Session is established unique to them and the instance of them logging on. Each time the user requests information the user’s Session is checked for validity and their application rights determined. In this way Sirius based applications can ensure that a user can only view data they are allowed to access.
Another way Sirius defends against URL manipulation is by optionally encrypting URLs in generated HTML using a certificate, and then decrypting them before processing Web Requests as normal. This also defends against information leaking into a web browser’s cache.