Last updated: 1 May 2021
Your security, data and privacy is very important to us and that is why we have gone the extra mile to protect you and your business. We have deployed an extensive set of security measures that extends beyond the legal requirements.
Correspondence and payment Security
Energy Knect protects your data and correspondence on the Energy Knect site by the deployment of TLS(Transport Layer Security). TLS is the latest and most secure cryptographic protocol that provides trusted end-to-end security of data sent between applications over the Internet.
TLS is the successor of the SSL and uses complex encrypted algorithms to offer your personal data and correspondence that extra protection from potential threats. This technology ensures that only the sender and recipient can read the exchanged content, in turn protecting it from third-party access.
The Energy Knect team take pride in continuously reviewing our security software applications to ensure we are deploying the highest security measures on the Energy Knect site. Furthermore, our security experts are continuously examining our site to identify potential vulnerabilities and to ensure that our members and their businesses can have a safe and secure online business development experience.
Virtual Meeting Service Security
MegaMeeting v.4 WebRTC
All MegaMeeting v.4 Meetings are browser-based and centre around WebRTC for audio and video streaming.
- End-to-End Encryption Encryption is built into WebRTC and is mandatory for all components including signalling. Peer-to-peer transmission is encrypted using standards supported by compatible web browsers.
- Data Transport Layer Security (DTLS)
Encryption is handled using DTLS which is based on the TLS standard and is designed to prevent eavesdropping, tampering, and message forgery.
- Secure Real-Time Protocol (SRTP)
Additional encryption is handled by SRTP which protects real-time streaming data (such as video and audio) and is intended to provide encryption, message authentication and integrity, and replay attack protection.
- Camera And Microphone Access
Access to camera and microphone devices is handled directly by the user’s web browser and explicit permission must be granted by the user before camera or microphone data can be accessed by the web browser. The user remains in control of camera and microphone access at all times and can disable access to camera and microphone devices using the controls provided by their web browser.
- WebSockets (ref) – WebRTC provides secure signalling channels for voice and data communication over web sockets.
- Meeting Security – All meetings can be additionally secured via a unique access key per participant, which prevents unauthorized access to a meeting. Keys can be revoked at any time to prevent future access to a meeting.
- Account Security – All accounts are accessed over a secure HTTPS (SSL) connection and protected by authentication. User credentials are stored as cryptographic hashes.
MegaMeeting v.2 and v.3 Adobe Flash
All MegaMeeting v.2 and v.3 Meetings are browser-based and centre around Adobe Flash Player.
- 1. Flash Player Security and HIPAA Compliance – In a world where most digital experiences fall flat, Adobe Flash technology offers something different. It’s a lightweight, cross-platform runtime that can be used not just for rich media, but also for enterprise applications, communications, and mobile applications. The Flash technology is fueling an increasing number of Rich Internet Applications (RIAs). And as a result, a growing number of employees, partners, and customers have access to enterprise data and processes. This access, combined with the requirement to comply with industry regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), has enterprises interested in the level of security provided by this framework. The Flash technology and the Flex product family address this concern by leveraging an organization’s existing security solutions and technologies. The Adobe approach is to implement robust security within its own products while avoiding new exposures
to the rest of the environment. However, the Flash technologies are not security products—they leverage existing security tools and approaches that are already in place while minimizing additional investments in security. Flash was designed to be inherently secure, leveraging industry-standard security procedures to deliver a reliable user experience. For example, the Flash technology integrates seamlessly into an organization’s existing architecture at the browser level through a plug-in and at the presentation tier through Flex software or a static HTML solution with script and Flash. The Adobe Flash technology leverages an organization’s existing infrastructure. Security is handled by existing security solutions and protocols. Because the Flash technology leverages SSL and authentication technologies and requires no changes to access control or other security settings, organizations do not need to deploy additional security solutions to use the Flash technology. In Flash environments, security is handled by existing security solutions and protocols. The Flash technology is a true multiplatform environment that leverages the core security capabilities of the underlying operating systems, browsers, and application servers. The Flash technology is based on proven and accepted security standards such as SSL and HTTPS for data transport. It has a layered architecture that encompasses these key elements. This paper focuses on the servers
and runtimes (for example, Adobe Flash Player and Adobe Flex software), which are used to deliver Flash applications, content, and communications, and which act as the platform, provide the controls, and specify the architecture. Due to the increasing pressures to comply with a range of industry regulations and the fact that a growing number of partners, contractors, and customers have access to corporate networks, enterprises are investing significant amounts in authentication and authorization services. These include single sign-on, VPN integration, specialized hardware (for example, smart cards), PKI, RSA, SecurID®, or other physical tokens. At
the same time, industry-specific requirements are mandating organizations to deploy authentication solutions. For example, both federal agencies and financial services organizations are required to utilize two-factor authentication measures to secure electronic transactions. Similarly, pharmaceuticals and health care organizations are facing tremendous pressure to protect the privacy of individuals through regulations such as HIPAA. Fortunately, organizations that use Flash technology can leverage their existing infrastructure and security investments to address these requirements. Flex Data Services sits on top of a Java server and integrates with standard protocols for authentication, such as LDAP and other directory services. On the client side, the Flash client runtime
applications may interact freely with resources within the same sandbox, the Flash Player sandbox prevents unauthorized access to
the operating system environment as well as other local instances of Flash Player.
- Unauthorized Access to Data- Unauthorized access to data refers to data on local disks, networked disks, or web servers that are communicated over the network or stored in memory by an application or process (for example, password lists, address books, privileged documents, and application code). An ActionScript program in Flash Player cannot write, modify, or delete any files on the client machine other than shared objects (small, Flash-specific files), and it can only access shared objects on a per-domain basis. Internet-based Flash applications cannot read any other local files or any sensitive or private data. In fact, no Action- Script methods available to Flash applications can create, modify, or delete directories or files directly. In order for web-based Flash Player content to access server data, the domain serving the Flash Player content must get explicit permission from the domain hosting the requested data (AKA the provider domain). Without permission, the load will fail. These permissions are specified by a policy file located on the server of the provider domain. This file enables access control by explicitly listing the domains that have permission to access data on that server.
- Unauthorized Access to Private User Information – Personal and financial data — as well as information about the user’s security settings for Flash Player— often resides on a user’s machine, and users are rightly concerned about others accessing this information. However, users should be aware that Flash Player does not collect information about them. Users have control over the Flash Player behaviour when encountering decisions concerning privacy. Through the Flash Player Settings user interface and Settings Manager, users can fine-tune the following settings related to privacy and security: Local storage of data using the local shared objects mechanism Access to cameras and microphones connected to the system Notification of updates to Flash Player In an enterprise environment, network administrators can control settings for Flash Player centrally to ensure that all clients conform to the corporate security policy. In addition to the fundamental protections provided by the sandbox and virtual machine, the Flash Player client
also provides stakeholders (those who own or administer a resource) with flexible, easy-to-use controls to permit (or limit) access to sensitive resources such as network files and databases. The Flash Player security model is organized in a way that enables enterprises to delegate control of permissions to the appropriate stakeholder. This model also supports the distributed architectures that are commonly used for applications built on the Flash technology.
vulnerabilities on the Open Web Application Security Project site (Source: www.owasp.org). In contrast, Flash content is delivered as a series of instructions in binary format to Flash Player over web protocols in the SWF file format. The SWF files themselves are typically hosted on a server and then downloaded to, and displayed on, the client computer when requested. Because Flash Player is binary and compiled, it inherently minimizes these threats compared to string-based language solutions that may leave back-end data vulnerable and unprotected. Typically, applications access databases through dynamically generated SQL statements, because these statements are fairly easy to implement and provide for looser coordination with the database. However, it is difficult to produce dynamically generated SQL statements that are resistant to SQL injection. In addition, dynamic statements often require broad access permissions to database objects. Prepared statements protect against SQL injection, while stored procedures allow the database to be more tightly locked down. During the application penetration assessment conducted by Symantec Professional Services mentioned previously, Symantec found that the implementation of stored procedures prevented attempts to compromise application data through the use of SQL injection and manipulation attacks.
- Data Transport- Clearly, the secure transport of data between Flash and Flex hosts and applications is critical to ensuring
the integrity of the data, as well as making sure others do not use that data for malicious purposes.
- Standards Compliance- Both Flash Player and the Flex product line use standards-based protocols for data transport. Flash Player knows whether its data was obtained over a secure HTTPS (HTTP over Secure Sockets Layer) connection and records that fact using separate sandboxes. Data loaded from HTTPS sites is subsequently treated differently than data from HTTP or other, less secure sources. This client data segmentation is a natural extension of the most common PKI models, which use x509 certificates to identify clients and servers. Cryptographic standards such as x509 certificates are implemented by the browsers with which Flash Player interoperates. On the server-side, these standards are implemented by the hosting environment. By using XML and SOAP standards for data transport, the Flex product line benefits from common security technologies such as HTTPS, which is supported for all operations.
- Wireless Security- As the corporate network extends to provide access to a variety of constituents — such as contractors, partners, customers, and telecommuters — organizations must protect an increasing number of remote users. Without effective wireless security, not only is the data in transit vulnerable to access and manipulation, but the enterprise network itself is vulnerable to Internet threats and malicious code that can be introduced through wireless devices. By using SSL, native encryption, and security on the operating system, Flash Player and the Flex product line minimize wireless security concerns. Since Flash applications running within a browser use the browser for almost all communication with the server, they can take advantage of the browser’s built-in SSL support for encryption. In addition, the actual bytes of an Adobe Flash application can be encrypted while they are being loaded into the browser. By playing a Flash application within an SSL-enabled browser through an HTTPS connection with the server, organizations and users can ensure that the communication between Flash Player and the server is encrypted and secure.
- Ease of Integration with SSL Accelerators and Load Balancers – Integration with SSL accelerators and standard load balancers is simple. For example, because Flex Data Services handles requests that are initially received by a web server, the Flex server does not need to know what protocol is being used. To switch from HTTP to HTTPS, the server administrator simply modifies the web server as he or she would have done without the Flex server installed.
- Support for Encrypted Tunneling- Applications built with Flash Media Server use the Real-time Messaging Protocol (RTMP) for high-performance transmission of audio, video, and data messages in a single data channel between the client and the server. While RTMP does not include security-specific features, Flash communications applications can perform secure transactions and secure authentication through an SSL-enabled web server. When running within a browser, Flash Player can use secure encrypted HTTPS tunnelling to communicate through RTMP. This tunnelling support provides users behind a typical corporate firewall with a transparent experience while ensuring secure data transport.
- Conclusions – With the Flash technology, organizations can develop, deploy, and distribute with confidence RIAs, enterprise and mobile applications, and communications to employees, partners, and customers. Flash Player and the Flex product line leverage an organization’s existing security infrastructure (which means they are security independent) are based on existing accepted standards and use secure technologies. By virtue of the way that the Flash technology and the Flex product line integrate with existing authentication, access control, data transport, and malicious code prevention solutions, they do not adversely affect an organization’s ability to meet security requirements. Just as importantly, this approach supports continued compliance security best practices and regulations, such as the Sarbanes- Oxley Act of 2002 and HIPAA. And by leveraging an organization’s existing security infrastructure, the Flash technology enables the successful deployment of secure applications without further investments. According to an independent security assessment by @stake, Adobe has developed a strong information protection model against client-side threats. “[The Flex] architecture mitigates many common client-side attacks such as cross-site scripting, denial-of-service [attacks], SQL injection, man-in-the-middle [attacks], and session hijacking.” In addition, server-side security is maintained by leveraging J2EE security to mitigate common attacks against infrastructure components, such as buffer overflows, heap corruption, and cross-site
For More Information, please visit: http://www.adobe.com Adobe, the Adobe logo, Acrobat, Clearly Adobe Imaging, the Clearly Adobe Imaging logo, Illustrator, ImageReady, Photoshop, and Post-Script are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Mac and Macintosh are trademarks of Apple Computer, Inc., registered in the United States and other countries. PowerPC is a registered trademark of IBM Corporation in the United States. Intel and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft,
Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners.