ArmyNet a serious personal security threat?

Discussion in 'Royal Signals' started by polar, Nov 2, 2006.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Following another thread I just tried to logon to ArmyNet.

    User name and password ok but then it asked about a memorable word, which I'd forgotten, I was then asked a number of very personal questions. I entered them but I think its very wrong to be asked them over the internet. A complete lack of personnel security, which encourages people to enter the same information on other sites which leads easily to identity fraud.

    If I was a IS security officer, I'd be tempted to ban the site completely to protect soldiers.

    I'd put up with other questions like where was your first school (thats easy check friendsreunited web site), whats your mums maiden name (ffs .. an hacker knows my service number & blood group, then its pretty obvious you can find that on genesreunited site)
     
  2. My understanding was that the information on ArmyNet is sensitive, but not classified, hence the ability to host on the web.
     
  3. I'm not sure why your concerned about answering these questions on the Internet. Once you go past the initial login page of armynet, you are put into an encrypted session between your computer and armynet's server. Its extremely secure, much more secure than using a phone to your bank or buying something by email without encryption.

    I'm not sure what its asking you that caused such concern. Any questiones asked to confirm your identity will be info you have given them or info only you should know. If you are an intruder trying to gain access to an account, you wont know the answers so how can fraud be committed? Armynet are acting in your best interest by making the site secure and only allowing authorised users access. If you have put your blood group on genes reunited, its public knowledge and you've been the author of your own demise.
     
  4. Asking to many questions can actually degrade security. My ARRSE password isn't recorded anywhere but my ArmyNet user name, memorable word, answers to a number of the security questions and password are.
    So someone is more likely to be able to logon onto my ArmyNet account than ARRSE. I appreciate they have to validate who I am and that its encrypted, but what if someones spoofed the DNS entry and its not ArmyNet I'm logging onto??
     
  5. Then we know where you live Infidel Huarh Huarh Huarh!
     

    Attached Files:

  6. Then they are very unlikey to have the certificates req'd for a secure session if they have spoofed the DNS and routed you to say Russia.

    I agree it is very frustrating but is it a security threat? I'd suggest not. Internet banking (certainly Tescos, Lloyds and Sainsburys have a very similar log on proccedure.
     
  7. You don't have to actually put in the "real" answers to the questions. How will Armynet know if your shoe size really is 3? Or your first school was "Puddlington-By-The-Sea, Mongington"? Or your mother's maiden name was "Bigwushyfishylips"?

    Obviously you have to confirm your NI Number and your blood group, those details (I think) are held on your records associated with your army number and they are needed to verify its you.

    The memorable word thing bugs me though, because its not a word, you have to put a number in there. I can't, personally, think of any words with an actual number in........

    Armynet's not too bad, once you have worked out where all the good bits are, and if you think people whinge on here, you should have a look at some of the stuff in the forums there.
     
  8. As Dale says. And also check the certificate if you are worried.
     
  9. I can M8...
     
  10. Spoke to armynet helpdesk reference this due to a log on problem i had and as dale said the answers are not verified you can answer what ever you choose during initial registration.
     
  11. I can second that, all my answers are the same. Remembering 20 different passwords for different logins is a pain in the arrse, especially if, like me, you cant remember what you had for breakfast. Ive finally settled on a something with letters and numbers that can be used on most sites, yes I realise all my eggs are in one basket but it beats contacting them and going through the hassle of issueing me a new one. What pi$$es me off is the ones on mod systems that force you select one of 3 "easy" to remember passwords "wot-zyf-dej" ...ok!! -now let me just write that down and stick it under my keyboard!
     
  12. I have read these threads on a regular basis and found a lot of the statements made have been made without any knowledge of security protocols etc. Armynet is a 128bit encrypted site hosted with 8 layers of security (most hosting services for buisnesses don't have half as many layers!). Agreed your details are stored however your details are stored by every government agency on the planet! Your bank details for instance will offer more of an attractive target for hackers than your shoe size or mothers maiden name and in fact your pay statement. As for the statement about ArrSE not storing details, think about it! Anonymity is a plug in for a monitored, recorded blog/forum application,so it would be naive to suggest that your details aren't stored. My final question has Armynet ever been hacked....or the MOD site...... simple answer is no and why.... because it would take years of number crunching to do so and heaven knows how many hackers have tried , we aren't the most popular organisation in the world!
     
  13. to true to true! ! !
    nobody would bother trying to hack or gain entrance to armynet DII D/D. there would be no point to it. there is nothing to gain from it apart from bragging.
     
  14. Even if someone did gain access, what in reality would it get them. Okay so they can see how much you get paid. You can see that from the Army website anyway, so nothing lost there.

    Your home details are not stored on it, your unit maybe, but nothing thats really really personal and therefore a security risk.

    As an ITSO I would have no qualms with giving this site its security certificate if it was my responsibility. Even the little bit of personal info it holds has more security around it than the majority of banks these days so there is no problem.

    Your worrying about nothing.
     
  15. To sum up.

    The personal information that you give to log onto ArmyNet can be ficticious. Mine's so ficticious, I've forgotten what it is!

    Anybody hacking into ArmyNet is going to be soooooo disappointed as it has a site rule of limiting content to Unclassified.

    ARRSE has about the same level of content restriction and is open to anyone (but doesn't allocate gucci e-mail addresses).