[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Resolved - NNT Change Tracker - Hard-Coded Encryption Key Originally posted as http://seclists.org/fulldisclosure/2011/May/460
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Resolved - NNT Change Tracker - Hard-Coded Encryption Key Originally posted as http://seclists.org/fulldisclosure/2011/May/460
- From: support@xxxxxxxxx
- Date: Wed, 29 Jun 2011 14:36:24 GMT
Background
-----------------
The product employs a portion of legacy code as referenced in the original
post. This is used for the product key and some database entries but whilst the
strength of the encryption being used here may be a problem for the NNT
licensing team, there is no genuine security risk for device data. This portion
of code has subsequently been replaced in Versions 5 and patches are available
from www.nntws.com
Change Tracker works on the principle of layered, multi-dimensional security in
line with the PCI DSS that it is commonly used to underpin. The secure
commissioning process should include standard lockdown and access-restriction
procedures for the Change Tracker server and database server used for device
and configuration data storage. Access security should also be complemented
with monitoring using a SIEM solution such as NNT Log Tracker, so any access to
the Change Tracker server, the Change Tracker console program or the database
will be logged and alerted as unusual activity.
NNT take security of our customer systems extremely seriously. Anyone with any
concerns regarding best practise in Production System security should contact
us for further assistance.
Regarding any vulnerabilities discovered by independent security researchers in
the future, we would prefer these are reported to us at support@xxxxxxxxx
before being published. This was not the case in this instance, delaying our
opportunity to respond. Thank you.
Company Homepage
------------------------------
http://www.newnettechnologies.com
Regards
NNT Support