NRA: New Membership Portal

[DavidRees]

The NRA has started to roll out a new portal, on which members can update their firearms details, etc., which in principle is a good thing.

However, the new system is potentially of concern, because it appears that the system is not under the control of the NRA, but a separate entity, apparently a for-profit company. One is required to accept Terms and Conditions imposed by the company before access is given, and since we are told that this system will eventually replace the registration of firearms usage in the Range Office, we seem to have little choice but to accept these T&Cs. The portal is not within the NRA domain ("nra.org.uk"), but "nra.azolve.com", emphasizing that this is a system separate from the NRA, but run for them.

This raises questions regarding the security of, and access to, our data which I hope the NRA will address--I have left a voicemail for Richard Blackmore, and hope to hear from him shortly. I certainly don't feel that I have ever agreed that the NRA can make my membership details available to a 3rd-party organisation, even one contracted to provide a service to the NRA, which appears to be the case here.

I am also less than impressed with the quality of the new system -- and I speak as a person with extensive experience in the IT industry, including the design and implementation of websites. It appears to have gone live without quite the level of testing it should have received.

All in all, not a great move, I fear.

[meles meles]

I am also less than impressed with the quality of the new system -- and I speak as a person with extensive experience in the IT industry, including the design and implementation of websites. It appears to have gone live without quite the level of testing it should have received.

Hmmm, dead giveaway then that it's a Guvverment computer database to document everything in preparation for the next ban...

[bigfathairybiker]

Why do you need to enter anything but your name and address?

Mark

[nfrancis]

I am also less than impressed with the quality of the new system -- and I speak as a person with extensive experience in the IT industry, including the design and implementation of websites. It appears to have gone live without quite the level of testing it should have received.

All in all, not a great move, I fear.

Just updated a few details - all seemed to work OK.

[Demonic69]

So apart from the NRA and possibly the NHS College they have no clients with potentially dangerous information! Couple that with the fact that all of your info is stored in their domain and I think they NRA have F'ed up immensely!
Firearms information should be stored at at least IL3 level, IL2 would be recommended and I can't see anything on their site mentioning their approval process for security layers. Are their staff expected to be security cleared to a reasonable standard? A CRB just won't cut it!
I think the NRA really need to communicate to it's members their decision to go this route and the reasons behind it, safeguards taken etc.

[DavidRees]

Why do you need to enter anything but your name and address?

Mark

Actually, that's precisely the data that is most sensitive, if one owns a gun, for obvious reasons.

The other information (for example, gun type, serial number) is used to record usage for target shooting, as required by legislation. Most clubs do this with a paper record kept in the clubhouse, but kept separate from the member's address; the web-based portal the NRA is implementing makes all this data available in one place, and of course, accessible via the internet. The security of the data is dependent upon the quality of the implementation; based on what I've seen so far, I'm not convinced.

If you use the system, make sure you use a STRONG password (random string of numbers, upper- and -lower-case letters, at least eight in length), and pick a username which is not easily guessed.

David.

[nfrancis]

But then tried to change a few other bits and it didn't work :-(

[DavidRees]

Not a very professional job, this portal, which does not inspire confidence about the security of our data, or even that the question has been given much consideration -- which is definitely a responsibility the NRA owes its' members.

David.

[Gaz]

So apart from the NRA and possibly the NHS College they have no clients with potentially dangerous information! Couple that with the fact that all of your info is stored in their domain and I think they NRA have F'ed up immensely!
Firearms information should be stored at at least IL3 level, IL2 would be recommended and I can't see anything on their site mentioning their approval process for security layers. Are their staff expected to be security cleared to a reasonable standard? A CRB just won't cut it!
I think the NRA really need to communicate to it's members their decision to go this route and the reasons behind it, safeguards taken etc.

We all know that creating an online repository of FAC owners' details, publicly accessible, creates a giant sitting target. The real question is how well armoured it is against intrusion. Gawd help the NRA (and the operator of the website) if it's ever breached.

One trusts there's a clause in the contract requiring disclosure of any unauthorised access attempts.

[Demonic69]

The real question is how well armoured it is against intrusion.

Well the portal alone scores an "F" on a basic Qualys scan due to using outdated and insecure SSL 2.0. They're only using TLS1.0, not 1.1 or 1.2 which would suggest they're not that bothered about security.
Compare that to GMAil, with an A rating!