[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: cobalt-security digest, Vol 1 #783 - 9 msgs
- Subject: [cobalt-security] RE: cobalt-security digest, Vol 1 #783 - 9 msgs
- From: "Richard Mitchell" <richard.mitchell@xxxxxxxxxxxx>
- Date: Thu, 16 May 2002 08:12:57 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Please unsubcribe our email address - richard.mitchell@xxxxxxxxxxxx
Thank very much.
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
cobalt-security-request@xxxxxxxxxxxxxxx
Sent: 15 May 2002 20:43
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: cobalt-security digest, Vol 1 #783 - 9 msgs
Send cobalt-security mailing list submissions to
cobalt-security@xxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
cobalt-security-request@xxxxxxxxxxxxxxx
You can reach the person managing the list at
cobalt-security-admin@xxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."
Today's Topics:
1. Credit card (duncan gray)
2. Re: Credit cards (Jeff Lasman)
3. Re: Credit card (Gerald Waugh)
4. Re: Credit cards (Gerald Waugh)
5. Re: Credit card (Steve Werby)
6. Re: Credit card (Jeff Lasman)
7. Re: Credit card (E.B. Dreger)
8. Re[2]: [cobalt-security] Credit card (Eugene Crosser)
9. Re: Credit cards (Gerald Waugh)
--__--__--
Message: 1
Date: Wed, 15 May 2002 00:29:58 -0700 (PDT)
From: duncan gray <duncanrobertgray@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] Credit card
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
--0-83946963-1021447798=:12335
Content-Type: text/plain; charset=us-ascii
So really the main issue is getting the information off the server as soon
as possible, so if for some reason you were hacked, they only get 1 number,
or none as youve already removed them. Do the credit card companies say you
cant do this sort of thing? is it chiseled out in stone somewhere? I'm sure
holding CC details on the server would be more secure then the office next
door, where all some one has to do is brake a window(ok yeah just an
example), take the reciepts. etc. Or just look over someones shoulder when
they are making a payment somewhere.
D.
---------------------------------
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
--0-83946963-1021447798=:12335
Content-Type: text/html; charset=us-ascii
<P>So really the main issue is getting the information off the server as
soon as possible, so if for some reason you were hacked, they only get 1
number, or none as youve already removed them. Do the credit card
companies say you cant do this sort of thing? is it chiseled out in stone
somewhere? I'm sure holding CC details on the server would be more
secure then the office next door, where all some one has to do is brake a
window(ok yeah just an example), take the reciepts. etc. Or just look over
someones shoulder when they are making a payment somewhere.</P>
<P>D.</P><p><br><hr size=1><b>Do You Yahoo!?</b><br>
<a href="http://rd.yahoo.com/welcome/*http://launch.yahoo.com";>LAUNCH</a> -
Your Yahoo! Music Experience
--0-83946963-1021447798=:12335--
--__--__--
Message: 2
Date: Wed, 15 May 2002 00:00:41 -0700
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Organization: nobaloney.net
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit cards
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
"E.B. Dreger" wrote:
> I'm writing something that even zeroes RAM where CC info was kept
> after processing. But, then, I'm paranoid. (And, no, that's not
> a plug. We have no current plans to sell the software in
> question.)
Eddy, there's a commercial package available that does that; it's not
expensive. You can read about it at "http://www.jetico.sci.fi/"; and no,
I'm not connected with them in any way except that I use their products.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484
--__--__--
Message: 3
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Organization: Front Street Networks LLC
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit card
Date: Wed, 15 May 2002 05:27:10 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Wednesday 15 May 2002 03:29 am, duncan gray wrote:
> So really the main issue is getting the information off the server as soon
> as possible, so if for some reason you were hacked, they only get 1
number,
> or none as youve already removed them. Do the credit card companies say
> you cant do this sort of thing? is it chiseled out in stone somewhere?
I'm
> sure holding CC details on the server would be more secure then the office
> next door, where all some one has to do is brake a window(ok yeah just an
> example), take the reciepts. etc. Or just look over someones shoulder when
> they are making a payment somewhere.
Don't put unencrypted credit-card info on a server at all. There are goons
that have full time jobs looking for dredit card numbers (and the info that
goes with them) on servers.
gnupg is not that difficult to install. It's worth the effort.
--
Gerald Waugh
http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699
Front Street Networks LLC | SOHO Networks & Web Site Hosting
229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States
--__--__--
Message: 4
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Organization: Front Street Networks LLC
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit cards
Date: Wed, 15 May 2002 05:29:23 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Wednesday 15 May 2002 03:00 am, Jeff Lasman wrote:
> "E.B. Dreger" wrote:
> > I'm writing something that even zeroes RAM where CC info was kept
> > after processing. But, then, I'm paranoid. (And, no, that's not
> > a plug. We have no current plans to sell the software in
> > question.)
>
> Eddy, there's a commercial package available that does that; it's not
> expensive. You can read about it at "http://www.jetico.sci.fi/"; and no,
> I'm not connected with them in any way except that I use their products.
>
We process the card in RAM, then wipe the arrays. I have seen processing
software that writes the data to a file, then deletes the file. I stay away
from that.
--
Gerald Waugh
http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699
Front Street Networks LLC | SOHO Networks & Web Site Hosting
229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States
--__--__--
Message: 5
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] Credit card
Date: Wed, 15 May 2002 09:30:14 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
"duncan gray" <duncanrobertgray@xxxxxxxxx> wrote:
> So really the main issue is getting the information off the server
> as soon as possible, so if for some reason you were hacked,
> they only get 1 number, or none as youve already removed them.
I wouldn't even want to risk someone accessing a single credit card number.
If someone hacks into the server they'll be able to access all of the credit
card info you store in plain text, regardless of how long the data stays on
the drive. All that's needed is a process that monitors for new credit card
info and records it or emails it somewhere. Sure, the hacker might only be
able to get info. from one transaction at a time, but that isn't going to
make you look any better when you're hacked and the info. is stolen.
> I'm sure holding CC details on the server would be more secure
> then the office next door, where all some one has to do is brake
> a window(ok yeah just an example), take the reciepts. etc. Or
> just look over someones shoulder when they are making a
> payment somewhere.
Well, if your server is connected to the Internet, then it's possible for an
intruder to be located anywhere on the planet. If the credit card info. is
in your office the potential intruders are a little more geographically
restricted. <g> Seriously, in any case it's advisable to take the proper
precautions. If you process the credit card info. yourself then it's
advisable to encrypt it using gnupg or pgp and either keep no
paper/electronic trail of unencrypted info. or keep it very, very secure and
definitely off your server. Otherwise it's worth considering using a
reputable 3rd party credit card processing company so you never have or need
to have the credit card info. yourself. My 2 cents.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/
--__--__--
Message: 6
Date: Wed, 15 May 2002 06:44:16 -0700
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Organization: nobaloney.net
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit card
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
duncan gray wrote:
> Do the credit card
> companies say you cant do this sort of thing? is it chiseled out in
> stone somewhere?
At least as of yet the Credit Card issuers have NOT told us HOW to
secure our credit card information, though some are beginning to ASK.
> I'm sure holding CC details on the server would be
> more secure then the office next door, where all some one has to do is
> brake a window(ok yeah just an example), take the reciepts. etc.
While we use a third-party gateway to process credit cards, we do end up
with some credit card numbers. They're secured in a virtual drive
created by a jetico.sci.fi (see my previous post in this thread), on a
protected system behind a firewall.
> Or just look over someones shoulder when they are making a payment
> somewhere.
It's not really about physical security so much as risk and perceived
security. I stand by statements I've been making for years that your
credit card is more secore (in general) on the 'net than it is in a
restaurant when you give it to that 20yo waiter/waitress who just
started working a the local coffee check with no background check.
But I still don't want to end up on the six-o'clock news.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484
--__--__--
Message: 7
Date: Wed, 15 May 2002 14:03:29 +0000 (GMT)
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit card
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
dg> Date: Wed, 15 May 2002 00:29:58 -0700 (PDT)
dg> From: duncan gray
dg> So really the main issue is getting the information off the
dg> server as soon as possible, so if for some reason you were
dg> hacked, they only get 1 number, or none as youve already
dg> removed them. Do the credit card companies say you cant do
No. Encrypt the info using asymmetric encryption or a hybrid
(random symmetric key, with key asymmetrically encrypted, a la
PGP/GnuPG/SSL) approach. Store info on a _separate_ bastion
server.
Then, if someone cracks the webserver, they cannot decrypt
existing records. The encrypt/decrypt keys are different, and
always should be transmitted via a secure channel.
Note that if someone cracks the webserver they can still install
trojans, so you're not in the clear re new CC info. And if they
scan memory pages or swap partitions for certain regexps, such as
"([0-9]{4}[\ -]?){4}", you have a problem.
dg> this sort of thing? is it chiseled out in stone somewhere?
The lower the risk, the friendlier the merchant provider will be.
Anger one if you dare. Tell them you're storing unencrypted
info, and see what happens.
As Gerald (others?) pointed out, it's not much harder to do it
better... and, I maintain, not too difficult to do it right. If
one cuts corners on something as basic as encryption, what else
is lacking?
dg> I'm sure holding CC details on the server would be more
dg> secure then the office next door, where all some one has to
dg> do is brake a window(ok yeah just an example), take the
dg> reciepts. etc. Or just look over someones shoulder when they
dg> are making a payment somewhere.
How many x86-based RaQ admins running BIND-8.2.2p*? How many
type "the keys to the kingdom" over clear text on a shared
ethernet segment? How many use short passwords that are easily
guessable via dictionary-based attacks?
Given clueful administration, the server is more secure. But
that's a rather large assumption. What's really scary is how
many people don't even know the issues at hand...
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.
--__--__--
Message: 8
Date: Thu, 16 May 2002 00:57:16 +0400 (MSD)
From: Eugene Crosser <crosser@xxxxxxxxxxx>
Subject: Re[2]: [cobalt-security] Credit card
To: cobalt-security@xxxxxxxxxxxxxxx
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Wed, 15 May 2002 09:30:14 -0400 Steve Werby <steve-lists@xxxxxxxxxxxx>
wrote:
> "duncan gray" <duncanrobertgray@xxxxxxxxx> wrote:
> > So really the main issue is getting the information off the server
> > as soon as possible, so if for some reason you were hacked,
> > they only get 1 number, or none as youve already removed them.
>
> I wouldn't even want to risk someone accessing a single credit card
> number.
> If someone hacks into the server they'll be able to access all of the
> credit
> card info you store in plain text, regardless of how long the data stays
> on
> the drive. All that's needed is a process that monitors for new credit
> card
> info and records it or emails it somewhere. Sure, the hacker might only
> be
> able to get info. from one transaction at a time, but that isn't going to
> make you look any better when you're hacked and the info. is stolen.
>
> > I'm sure holding CC details on the server would be more secure
> > then the office next door, where all some one has to do is brake
> > a window(ok yeah just an example), take the reciepts. etc. Or
> > just look over someones shoulder when they are making a
> > payment somewhere.
>
> Well, if your server is connected to the Internet, then it's possible
> for an
> intruder to be located anywhere on the planet. If the credit card info.
> is
> in your office the potential intruders are a little more geographically
> restricted. <g> Seriously, in any case it's advisable to take the
> proper
> precautions. If you process the credit card info. yourself then it's
> advisable to encrypt it using gnupg or pgp and either keep no
> paper/electronic trail of unencrypted info. or keep it very, very secure
> and
> definitely off your server. Otherwise it's worth considering using a
> reputable 3rd party credit card processing company so you never have or
> need
> to have the credit card info. yourself. My 2 cents.
We do the credit card processing this way: inside the CGI, immdiately
encrypt the data with public key. Corresponding private key does not exist
on this server. Encrypted data is sent over UUCP (crossover serial cable)
to a machine that is not connected to the Internet at all. There the card
data is decrypted and used for payments (over telephone line in our case).
Practically the only way the data can be intercepted without physical
access is by compromizing the CGI script.
Of course we implemented all this before the internet boom, when people
where serious about security...
Eugene
--__--__--
Message: 9
From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
Organization: Front Street Networks LLC
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Credit cards
Date: Tue, 14 May 2002 11:05:41 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Tuesday 14 May 2002 10:28 am, Jeff Lasman wrote:
> duncan gray wrote:
> > I'm guessing that you would need something along this
> > line.
> >
> > A SSL certificate for encrypting server - client
> > communication.
> > Encrypted DB.
> > A firewall.
> >
> > Is there anything else?
>
> A secure way of getting the details off the system and into the hands of
> someone. Either a secure (pgp/gpg) email system, OR a procedure for
> sending the information to an email account on the box that you read
> through webmail over a secure connection, or some other way of reading
> the credit card information over a secure connection.
No *don't* store the info in a mail spool on the server unencrypted.
> And how about a procedure in place to get those credit card numbers OFF
> the system on a regular basis so if it is hacked, you won't end up on
> the six-o'clock news.
Again store and pop (deleting from the server) encrypted.
When they get to the client, they are still safe as they are encrypted
--
Gerald Waugh
http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699
Front Street Networks LLC | SOHO Networks & Web Site Hosting
229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States
--__--__--
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
End of cobalt-security Digest