Mil dot security ISN'T
Security lapse.
I just noticed this.
US mil.com site asking for SS# with out Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server..
The MIL dot server generates its own security credentials.
And it asks for your Social Security Number.
From the login page:
• Why do we need your Social Security Number?
We request your Social Security Number (SSN) and Date of Birth (DoB) during the registration process only to authenticate who you are. The information you provide is compared with your information in the Enterprise Dictionary Database (EDD), and the information is used solely to verify that you are authorized to have an account. This data is already in the EDD and the Secretary of the Army is authorized to use the data for verification purposes. Your SSN will be stored with your account when it is created, but it is not shared with any other agency or organization, it is not part of your user name, and it is used only as a discriminator during multiple identity instances. • Is it safe?
Security during registration is ensured using a 128-bit Secure Socket Layer (SSL) connection. This is the highest industry standard and establishes an encrypted session between your computer and . We use the same technology that other major companies operating on the World Wide Web (WWW) use to protect personal information and guard against identity theft. Look for the little yellow padlock at the bottom of your browser window to ensure that you have established a secure connection. There are no alternate means of registration as this is the most secure method of protecting your information.
128 SSL is NOT the highest security standard.
Should be upgraded to 256.
And they are asking for your SS# on a NON https page.
Air Force Portal Defense Online MarineNet Navy Enterprise Portal -- Coming Soon
I didn't check the other portals.
Gerald
Tactical Internet Systems analyst.
More: http://cyberarms.wordpress.com/2010/09/13/cyber-arms-intelligence-report-for-september-13th/
.
.
NEW CHINESE CYBER THREAT
I just noticed this.
US mil.com site asking for SS# with out Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server..
The MIL dot server generates its own security credentials.
And it asks for your Social Security Number.
• Why do we need your Social Security Number?
We request your Social Security Number (SSN) and Date of Birth (DoB) during the registration process only to authenticate who you are. The information you provide is compared with your information in the Enterprise Dictionary Database (EDD), and the information is used solely to verify that you are authorized to have an account. This data is already in the EDD and the Secretary of the Army is authorized to use the data for verification purposes. Your SSN will be stored with your account when it is created, but it is not shared with any other agency or organization, it is not part of your user name, and it is used only as a discriminator during multiple identity instances. • Is it safe?
Security during registration is ensured using a 128-bit Secure Socket Layer (SSL) connection. This is the highest industry standard and establishes an encrypted session between your computer and . We use the same technology that other major companies operating on the World Wide Web (WWW) use to protect personal information and guard against identity theft. Look for the little yellow padlock at the bottom of your browser window to ensure that you have established a secure connection. There are no alternate means of registration as this is the most secure method of protecting your information.
128 SSL is NOT the highest security standard.
SSL - a Quick History
In the earlier days of the World Wide Web, 40 bit keys were used. Each bit could contain a one or a zero -- which meant there were 240 different keys available. That's a little over one trillion distinct keys.
Because of the ever-increasing speed of computers, it became apparent that a 40-bit key wasn't secure enough. Conceivably, with the high-end processors that would come available in the future, hackers could eventually try every key until they found the proper one, which would allow them to decrypt and steal private data. It would take some time, but it was possible.
The keys were lengthened to 128 Bits. That's 2128 keys, or 340,282,366,920,938,463,463,374,607,431,768,211,456 unique encryption codes. (That's 340 trillion trillion trillion, for those of you keeping track at home.) It was determined that if computers kept advancing in speed as they have in the past, these 128-bit codes would remain secure for at least another decade, if it not longer. DigiCert certificates don't stop there though. DigiCert SSL Certificates are also compatible with the new AES 256-bit encryption.
Should be upgraded to 256.
And they are asking for your SS# on a NON https page.
Other DoD Service Portals
Air Force Portal Defense Online MarineNet Navy Enterprise Portal -- Coming SoonI didn't check the other portals.
Gerald
Tactical Internet Systems analyst.
More: http://cyberarms.wordpress.com/2010/09/13/cyber-arms-intelligence-report-for-september-13th/
.
.
posted by gerald at
9/13/2010 08:24:00 PM
READ MORE
READ OR SUBSCRIBE, Our WAR OSINT on Twitter
Tweet
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home