[SecurityRatty] tag: carts

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Hotel's Dirty Drinks

Sat, 22 Mar 2008 19:41:25 +0000

.. and I don’t mean Martinis.

I’m frequently in hotels. And I’m frequently drinking water. It’s usually room-temperature tap water, so when I started noticing funny tastes and smells in hotel room glasses, it got me wondering exactly how they clean and replace those in-room glasses.

Over the past several weeks I took a mental survey of housekeeping carts. (I frequently sneak an extra shampoo or conditioner at some point, so I’ve usually spent a bit of time exploring the carts, and what’s on them.) I thought about it and realized I’ve never seen glasses (clean or dirty) on any housekeeping carts…. hmm…. they’re not changing them out… so how are they cleaning the glasses?

I was getting ready to post a blog asking just that question when I did a search online and confirmed my worst suspicions. Looks like there’s a nation-wide coup over just this very topic, after numerous TV news ‘stings’ with hidden cameras. On the first search page, I found such video from LA, Maryland and Atlanta, and saw links to several other postings.

If you’re curious… check out some of the findings… I’ll warn you though, in more than one video, there’s a glove, toilet swishing and then glass-cleaning… same glove. (uggggh)

Good Morning America Report - link
News in Atlanta - link
ABC 2 in Maryland - link
ABC 7 in LA - link

I think I’ll have to start packing my own bottles… the only dirty drink I want comes with gin and olives. ;)

# # #

Maryland Department of Assessments & Taxation web exposure

Sat, 05 Jan 2008 11:02:15 +0000

Technorati Tag: Security Breach

Date Reported:
1/4/08

Organization:
State of Maryland

Contractor/Consultant/Branch:
Department of Assessments and Taxation
Towson University's Regional Economic Studies Institute

Victims:
Maryland residents applying for a homestead tax credit

Number Affected:
Unknown*

*roughly 900 people used the system on the day in question.

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
A web application used to collect information from residents over the internet was not adequately secured with encryption leaving some sensitive personal information un-protected while transferred from clients to the Web server.

Reference URL:
Washington Times News Story

Report Credit:
Gary Emerling, The Washington Times

Response:
From the online source cited above:

Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet.

Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers exposed, but the information was transferred to a secure server after an application was submitted.
[Evan] Let's hope that the "secure server" is actually secure. This breach would not have occurred if proper security testing were carried out prior to production. If the site itself had not been properly tested, should we assume that the secure server had/has been.

"For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to a different section that was encrypted."
[Evan] My interpretation is that the "secure server" encrypts the information and it is stored encrypted. If so, then good work! Although, I could be wrong.

The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received their assessment notices in the mail. Roughly 900 people used the system that day.

Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific location.
[Evan] Not nearly impossible.

"Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil."
[Evan] I do agree that the risk is relatively low, I do not agree that an attacker would have to have "been focused in on that site" in order to capture the information.

Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to steal the numbers once they were sent out over the Internet.
[Evan] This is not true. A successful compromise of the data transmission could take place at any point between the resident's computer and the server itself. This would include anywhere between a resident's computer and the resident's internet access point (usually a router), the resident's access point and all traversed points within the resident's internet service provider's (ISP) network, between the resident's ISP and any other traversed points within any other internet network provider on the way to the State of Maryland's ISP, all traversed points within the State of Maryland's ISP, and all traversed points within the Maryland network until it reached the web application server. The risk of compromised between all of these points is still relatively low, but it is unnecessary risk nonetheless.

"While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said.
[Evan] It is logistically infeasible for a single attacker to capture all of the information sent in the clear.

officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened Wednesday at about 4:15 p.m. and is now secure.

Commentary:
Maybe you read the information about this breach differently, but to me it seems that someone forgot to configure encryption (i.e. http vs. https) for the data in transit to the State of Maryland's web site that was collecting sensitive information.

Althought, I agree with the officials that claim the risk of exposure to resident's personal information is low, it was such an easily avoidable risk. The amount of risk would have risen with the amount of time that the vulnerability existed. Web applications, especially e-commerce shopping carts and others that collect confidential information, must be thoroughly tested by knowledgeable information security personnel prior to production. More than anything else, this breach causes unneeded embarrassment for the State of Maryland and perhaps provides insight into software development practices as it related to information security.

On semi-related note, according to a story posted on the Louisville, Kentucky Courier Journal claims that "A 15-minute search on the Maryland Department of Assessments and Taxation Web site found Social Security numbers on statements filed by creditors who had financed purchases by four consumers in Waldorf, Cambridge, Bowie and Landover in 2003 and 2004."

Past Breaches:
August, 2007 - Stolen laptop from the Maryland Department of the Environment

Secrets of a Road Warrior

Mon, 16 Oct 2006 04:34:00 +0000

I have been a road warrior since just after 9/11. For the past 5 years I have spent at least 6 months of the year somewhere other than where I call home. At one point after .NET was released in 2002, I spent over a year and a half visiting 2 cities a week (fly out Sunday, speak at a seminar from 7:30 to 5:00 Monday and Tuesday, fly home Tuesday night, fly back out Wednesday night, speak at a seminar from 7:30 to 5:00 Thursday and Friday, fly home Friday night, wash, rinse, repeat).

Some think the secret to being a road warrior is his durability, and for a large part that’s true. But it’s not just a matter of surviving, but thriving through any situation that my come up comfortably. The real key is always being prepared. You never know what might happen.

Last night I was watching the news about the earthquake in Hawaii and thinking of a loved one who was out there for a conference. I saw hospitals being evacuated, police breaking up fights over gas and food at convenience stores, bridges and roads that were un-drivable, no power, no water, no flights allowed in or out, etc. and I was worried. It reminded me of several situations I experienced personally.

Hurricane Ivan was by far the worst thing I’ve ever been through, and there have been many.

In September of 2004, I was working on a project in Montgomery, and had to be there the day before the storm arrived. Things seemed normal enough at work, until everyone spent the second half of the day gossiping over whether or not they would have to come into work tomorrow.

I was in meetings all day and was oblivious to the news. By time I left work, both lanes of I-85 were converted for northbound traffic as a mass exodus of people from Biloxi to Mobile to Panama City were heading north to get out of the storms way. I had a perfectly good hotel room and opted to stay there instead of sitting on the freeway for what would have been a long, miserable drive back to Atlanta. There wasn’t a bottle of water left on store shelves, so I decided I’d be okay and just head back home in the morning.

I never expected that the storm would be strong enough to do any damage as far inland as Montgomery…but it was.

I awoke the next morning to no power and no water, which was the perfect motivation I needed to get on the road and head home early. I figured by leaving this early, the traffic on I-85 would be decent enough to make good time back to Atlanta. I had a perfect view of I-85 from my room, and when I went to look, sure enough there wasn’t a single car on the freeway…there were however a number of trees, the marquee from the hotel, shopping carts, trash cans, and even a stray sock.

I was stuck.

I wasn’t worried at first. I had endured several hurricanes before, once in a tent (Alberto, which dropped 24 inches of rain in a single night that cut off all the roads in and out of our base camp on the Flint River; I spent a week wet, living in a tent, and as a brand new lifeguard, performing live rescues for the first time).

Things started to set in when I tried to find food. The halls of the hotel were littered with refugees who even though they didn’t have a room, the hotel let them set up camp in the lobby, hallways, etc, each one of them with a giant cooler, luggage, and all acting as if they had done this a million times.

With no power, the vending machines were useless. I got in my car to venture out, but a tree blocked off the single entrance to the hotel. I decided to walk, but it was a ghost town. With no power, nothing was open.

Then my cell phone died.

I spent 2 and a half days in Montgomery, without a lick of food and only a single warm bottle of water I traded a man for a pillow.

Most of Montgomery was without power for 4 days. I was unlucky in that I had no supplies whatsoever, but lucky in that I was able to leave after waking up the third day to see that the roads had been cleared. The refugees who had to spend weeks in shelters and hotels had it far worse.

Now I am always prepared. It’s helped me through several other hurricanes (read Katrina), an ice storm, and a few other minor inconveniences. When I’m on the road, I always make sure to adhere to a few simple rules:

Never get below half a tank of gas, and always fill it to the top.
Keep a case of water in the trunk of the car. Most gas stations sell them now and it’s easy enough to grab one when you’re getting gas. If I’m flying, I always keep 2 in my carry on and I make sure to stock my room immediately after I check in.
Keep nuts and energy bars in my bag. If you have to go without food for a couple of days or for 4 hours while your plane sits on the runway without a pilot (thanks Delta!), you’ll be happy to have a something to eat.
Always keep a full charge on the cell phone and pack a car charger.
Keep an emergency calling card in your wallet. They are cheap enough these days and if something happens to you cell, you’ll find it terribly inconvenient not to be able to make any calls.
Carry a MP3/FM Radio. You can listen to MP3’s to take your mind of off things and be able to tune into local news advisories.

None of this does a single bit of good while you sit at home and worry about a loved one half way around the world, but hopefully it will allow your loved ones not to have to worry about you one day.