Possible threats of accessing confidential TW data

by GRAPHISOFT and Andor Szőke · updated: 03.26.2012

1. Data theft

For making Data theft possible an attacker has to be able to CONTROL a computer physically on the Office LAN or physically connect his computer or to another physical network point that is between the computer of the client and the office router. By using the latter it is extremely hard to get any useful information because on the internet the route of the packets changes from packet to packet. Then the attacker can simply filter data having the target port in question. Note, that even if the attacker finds the weekness in the security system it is not possible to “steal” a whole project file this way, since only the project changes are sent to the BIM server, never the whole project database. The more likely goal of the attacker is to steal user account information, which would allow the attacker to log in to the BIM server as one of the existing user.

2. Password Cracking

An attacker might simply try to log into the BIM server by guessing user names and passwords. The attacker might use Password cracking tool to do this.


Making sure that confidential data is not accessed by unauthorized people

General Criteria

  1. Use unguessable passwords

Security Level 1. (use of static public IP Addresses)

Security achieved: One can be sure that confidential project data can only be compromised even if the office router is cracked by an attacker. This level practically excludes both Data Theft and Password Cracking. With this level of security project delta’s going between the remote client computer and the BIM server can still be intercepted but recreating the project based on these delta’s is practically impossible.

* Must do’s for achieving Security Level 1.

  1. The firmware of the router must be regularly upgraded. This is needed in order that the Router cannot be cracked.
  2. Make sure that office workers who will access the BIM server from outside the office LAN (through the internet) have static public IP Addresses .
  3. When you open the four BIM ports on your firewall make sure that you really open only these ports and not all the ports.
  4. Set the office firewall so that through the four BIM ports only traffic from the above mentioned static public IP Addresses are allowed.

Security Level 2. (use of VPN)

Security achieved: By achieving this level of security one can be sure that confidential project data is not compromised. By using VPN all sent information is encrypted. This level theoretically excludes both Data Theft and Password Cracking.

* Must do’s for achieving Security Level 2.

  1. Purchase a VPN solution.
  2. Use unguessable passwords with VPN.

Good to know

BIM server libraries can be downloaded by any user registered on the particular BIM server no matter of the roles assigned to this user.

Can the general network safety of an office (not just ArchiCAD related safety) be affected by opening BIM ports on the firewall?

Speaking of a service running in a LAN which is accessible from the internet the following generally possible threats exist, but these are very unlikely threats in case of BIM server:

1. Buffer Overflow (Stack Overflow or Heap Overflow) Attack

A stack or heap overflow attack means exploiting vulnerabilities in a program which allows writing into the memory space used by the program. Such an attack allows the attacker to execute their own code in the computer. The goal is to run malicious software on your computer. To do this, the attacker needs to analyze the software it is going to attack, then write a very sophisticated piece of code specially designed to attack the specific software (in this case, the BIM server). Attackers typically target popular programs that used by tens or hundreds of millions of people around the world (like operating systems and web browsers). This type of attack is unlikely to happen to BIM servers.

2. DOS (Denial Of Service) Attack

A DOS attack is an attempt to make a computer resource unavailable to users by sending a large amount of requests to the server. This will overload the server, which will not be able to respond to normal requests. The goal is to impede server communication. Since a DOS attacker doesn’t have much benefit in attacking a BIM Server (this is not a way of stealing data), this type of attack is not very likely to happen against BIM Servers.

How to make sure that data loss will not occur in WAN environment?

This topic is covered by the Teamwork project data management article.

Related content

VPN

ForWikiEditors : ToDo/ - check and update article Here is a collections of "tricks" that Technical Support has heard of for getting VPN to work. We do not have the resources to test these ideas. Hopefully one will be of help to you. WIBU or CodeMeter and…