greatmarko
Member of DD Central
Posts: 343
Likes: 373
|
Post by greatmarko on Feb 21, 2017 11:38:59 GMT
Will this include any website security improvements, previously discussed? Security is always a high priority and following server upgrades we will continue to monitor and improve where necessary, as we previously discussed. No new features, just server upgrade to help with site performance. So Collateral still taking a rather passive approach to security I see!? Security shouldn't just be a "high priority" - it should be the TOP priority! ...performance improvements are all well and good, but there's still very little evidence that they actually understand and take an pro-active approach to security, rather than just sitting back and "monitoring". Whatever happened to the professional external independent security audit of their IT systems/infrastructure that collateral were supposed to be instigating?
|
|
n
Member of DD Central
Yet another Nick
Posts: 879
Likes: 461
|
Post by n on Feb 21, 2017 11:49:16 GMT
If I was Collateral I wouldn't openly discuss any aspects of security.
|
|
greatmarko
Member of DD Central
Posts: 343
Likes: 373
|
Post by greatmarko on Feb 21, 2017 14:58:11 GMT
If I was Collateral I wouldn't openly discuss any aspects of security. ...and that instills user confidence how?(!) Reputable internet-based companies and online businesses adopt open and pro-active approaches to security, and are happy to discuss concerns with users! i.e. they have dedicated and knowledgable in-house IT security expertise, they outsource independent security firms to conduct audits of their systems/infrastructure, they have a dedicated point of contact for security related incidents and correspondence, they have clearly defined procedures in the event of a security incident, they encourage responsible disclosure of security issues (i.e many run bug bounty schemes, etc), they seek to allay security fears with fact-based evidence on how they operate, etc, they are happy to disclose how passwords are stored, etc... Security though secrecy and a passive/complacent attitude towards it is not best practice, nor is it reassuring to users!
|
|
|
Post by Collateral Rep on Feb 21, 2017 15:08:12 GMT
Afternoon,
Just to remind you, we have a visit arranged for Thursday the 2nd of March where two forum members will be coming to see us. They will have the opportunity to meet the lead developer to discuss any concerns they may have with security and any other points they want to discuss.
Following the visit they will be reporting back here with their feedback.
Many thanks,
Gordon
|
|
stub8535
Member of DD Central
personal opinions only. Not qualified to advise on investment products.
Posts: 1,442
Likes: 945
|
Post by stub8535 on Feb 22, 2017 8:14:53 GMT
greatmarko hoy please send me a pm with specific questions to put before the lead developer, the answers to which we will include in our report back. I will share these with the other visitor beforehand. Assume we have no computer security knowledge when framing your questions. I dont know the experience of the other visitor in the web and physical security field.
|
|
|
Post by barberbookie on Feb 23, 2017 10:09:52 GMT
Hurry up with the upgrade please. Another painful experience trying to buy in this morning.
|
|
|
Post by rookyone on Feb 23, 2017 10:25:09 GMT
It may not just be Collateral, several other sites are painfully slow or down. I think maybe storm Doris causing problems for the Internet in general...
|
|
|
Post by polonius on Feb 23, 2017 11:05:29 GMT
greatmarko hoy please send me a pm with specific questions to put before the lead developer, the answers to which we will include in our report back. I will share these with the other visitor beforehand. Assume we have no computer security knowledge when framing your questions. I dont know the experience of the other visitor in the web and physical security field. Hi everyone, I'm the other visitor and looking forward to our visit to Collateral Towers next week on behalf of all of us here. Among other things I am a trained BSI auditor and I have wide experience of developing and implementing physical security systems and physical Business Continuity plans. I'm only a layman in terms of IT stuff but as Stub says, post any questions here or pm either of us and we'll do our best to get answers for you. John
|
|
|
Post by polonius on Feb 23, 2017 11:17:53 GMT
Hurry up with the upgrade please. Another painful experience trying to buy in this morning. I was expecting trouble but it worked flawlessly for me this morning. However the new system is still just a more complicated version of FFF with all its drawbacks. I believe the SavingStream bottom-up pre-funding model would be simpler and fairer. OK you would have to prefund with real money but Collateral's speedy withdrawals means that if you don't get your full allocation you could withdraw any surplus in minutes
|
|
greatmarko
Member of DD Central
Posts: 343
Likes: 373
|
Post by greatmarko on Feb 23, 2017 12:16:27 GMT
Separately, I note the site now has (partial?) secure connection certification granted by cPanel Inc, which I presume is the new hosting platform but the certification only runs from 12 Feb - 14 May 2017. This coincides with the server upgrade. Why such a short time period - they usually run for at least 2 years? Yes, there are mixed content warnings on their site - meaning it's not fully served over secure https: ...This is a basic thing their "developer' should have picked up on and addressed. In relation to the SSL certificate itself; they're using a new feature of cPanel (AutoSSL), which automatically generates auto-renewing SSL certificates for domains every 90 days. The idea behind this is to get more sites using https (as it's free/easy to install without any technical knowledge), however, for businesses dealing with financial matters/transactions - like collateral - they're not really a good solution. Firstly, they're only DV (Domain Validated), and not OV (Organisation Validated), or ideally EV (Extended Validation). EV certs give that familiar "green bar" in your browser and are more trusted: Secondly, the fact that they're using the AutoSSL feature of cPanel, immediately discloses the underlying server software they're running (i.e. cPanel). Whilst there's absolutely nothing wrong with cPanel, its information disclosure that could be of use to hackers (i.e. server "fingerprinting") Open your browser's developer tools (Usually F12, or Ctrl + Shift + I), switch to the error console tab, and visit collateral's login page - you'll see a whole host of errors (uncaught errors, 404 not founds, etc): - again, basic things that their "developer" should have picked up on and fixed! Thirdly, the server doesn't support Forward Secrecy. Fourthly, the server doesn't utilise Strict Transport Security (HSTS)Fifthly, the server doesn't employ any Content Security Policy (CSP)Sixthly, the server doesn't have any Public Key Pinning (HPKP) Seventhly, the server currently supports TLS 1.0 connections. This is considered insecure by today's standards (and from next year will also breach PCI compliance) ...I could go on! ...but bottom line is; all these things combined (which are pretty basic/standard things, and which would have been picked up by a professional, independent security audit of their severs!) coupled with the inability/unwillingness of Collateral to engage on these matters leads me to seriously doubt they understand security, and the supposed security "expertise" that they and their (outsourced?) "developer" has!
|
|
macro
Member of DD Central
Posts: 86
Likes: 70
|
Post by macro on Feb 23, 2017 13:20:49 GMT
Separately, I note the site now has (partial?) secure connection certification granted by cPanel Inc, which I presume is the new hosting platform but the certification only runs from 12 Feb - 14 May 2017. This coincides with the server upgrade. Why such a short time period - they usually run for at least 2 years? Yes, there are mixed content warnings on their site - meaning it's not fully served over secure https: ...This is a basic thing their "developer' should have picked up on and addressed. In relation to the SSL certificate itself; they're using a new feature of cPanel (AutoSSL), which automatically generates auto-renewing SSL certificates for domains every 90 days. The idea behind this is to get more sites using https (as it's free/easy to install without any technical knowledge), however, for businesses dealing with financial matters/transactions - like collateral - they're not really a good solution. Firstly, they're only DV (Domain Validated), and not OV (Organisation Validated), or ideally EV (Extended Validation). EV certs give that familiar "green bar" in your browser and are more trusted: Secondly, the fact that they're using the AutoSSL feature of cPanel, immediately discloses the underlying server software they're running (i.e. cPanel). Whilst there's absolutely nothing wrong with cPanel, its information disclosure that could be of use to hackers (i.e. server "fingerprinting") Open your browser's developer tools (Usually F12, or Ctrl + Shift + I), switch to the error console tab, and visit collateral's login page - you'll see a whole host of errors (uncaught errors, 404 not founds, etc): - again, basic things that their "developer" should have picked up on and fixed! Thirdly, the server doesn't support Forward Secrecy. Fourthly, the server doesn't utilise Strict Transport Security (HSTS)Fifthly, the server doesn't employ any Content Security Policy (CSP)Sixthly, the server doesn't have any Public Key Pinning (HPKP) Seventhly, the server currently supports TLS 1.0 connections. This is considered insecure by today's standards (and from next year will also breach PCI compliance) ...I could go on! ...but bottom line is; all these things combined (which are pretty basic/standard things, and which would have been picked up by a professional, independent security audit of their severs!) coupled with the inability/unwillingness of Collateral to engage on these matters leads me to seriously doubt they understand security, and the supposed security "expertise" that they and their (outsourced?) "developer" has! --- Thanks for the advice, although I won't pretend to understand much with respect to the issues raised! However, i would hesitate to post this sort of detail in a public forum for fear of causing the type of security breach which you highlight. Perhaps it might be better first addressed privately to Collateral? I'm sure though that clients would welcome reassurance that their systems are safe.
|
|
greatmarko
Member of DD Central
Posts: 343
Likes: 373
|
Post by greatmarko on Feb 23, 2017 14:24:48 GMT
However, i would hesitate to post this sort of detail in a public forum for fear of causing the type of security breach which you highlight. Perhaps it might be better first addressed privately to Collateral? I haven't posted anything which isn't already readily available to anyone wth just a web browser (i.e. you can visit their website and see the errors, ssl certificate issues, and mixed content warnings yourself). What I've outlined are basic security principles that ANY competent web developer should be aware of! Nothing I've posted further increases the risk of a security breach, or would be "advantageous" to a hacker - I haven't disclosed a specific vulnerability or an single attack vector, merely I've highlighted a number of pretty basic shortcomings, which demonstrate (to me at least) that Collateral's IT knowledge and security expertise appears to be sub-par. Don't get me wrong; I don't have anything against Collateral - I along with hoy and others - very much want to signup and invest with them, and see them go from strength to strength! ... but there are legitimate concerns which Collateral don't seem to understand, take seriously, or adequately address. I'd really like Collateral to just be open and honest and say that they perhaps don't currently have the necessary IT security expertise in-house, and for them to confirm whether their IT systems/practices have been independently audited by a reputable, professional IT security firm yet? If an independent IT security audit has taken place and everything's fine, then in addition to the full private report to Collateral themselves, the independent security firm should also be able to provide them with a 1-page "certificate"/executive summary of their findings, which can be made public (as it won't contain sensitive details), and which confirms that their independent security review found no issues/causes for concern. The fact that Collateral won't confirm or provide evidence of such an independent IT audit is worrying - it indicates that either they've not had one, or they've had one, which has highlighted a number of issues/concerns, which Collateral haven't yet addressed.
|
|
greatmarko
Member of DD Central
Posts: 343
Likes: 373
|
Post by greatmarko on Feb 23, 2017 14:29:58 GMT
|
|
ilmoro
Member of DD Central
'Wondering which of the bu***rs to blame, and watching for pigs on the wing.' - Pink Floyd
Posts: 10,840
Likes: 11,068
|
Post by ilmoro on Feb 23, 2017 14:32:05 GMT
|
|
|
Post by onion12 on Feb 24, 2017 9:12:42 GMT
Collateral is there a upgrade going to happen the site is not usable not even on renewals defo needs a major sorting out
|
|