[SecurityRatty] tag: convenience

ColdFusion: Hack Me or Help Me

Thu, 28 Aug 2008 06:13:00 +0000

For your consideration, the endless battle between security and convenience.
Front and center: ColdFusion.
I've been picking on ColdFusion-built apps again a bit lately, and one of my observations has been that consistently, if mismanaged, the verbose error reporting features in ColdFusion can be really problematic.

HIO-2008-0713 JOBBEX JobSite SQLi & XSS
HIO-2008-0729 BookMine SQLi & XSS

Recently, I stumbled on an example of way too much information disclosure in a few sites running a ColdFusion-built CMS. The error reporting was so verbose it included the base path, data source name, database username, and yes, the database password.
I've cleaned it up for the protection of all involved, but here's a screen shot of only 1/4 of the details this site coughed up when I tweaked the input to a calendar date variable.

When I reached out to the developers of this app (always and immediately responsive), they assured me that this was not due to a flaw in the app, but that the "information should be protected, and is by default for our installations" and that the client disabled the security check and turned debugging on. I accept this explanation entirely, but it leads to the classic debate around the dangers of mismanaged debugging features, be they developer added or ColdFusion feature driven. Stupid user tricks are always an issue, but how much rope should they be given to hang themselves? Does error reporting really need to include the database username and password?

Allow me to present a few different perspectives.
First, rvdh's take on Attacking ColdFusion. Developers can learn a lot from this post, if only in that it precisely points out attack vectors. Ronald sums up my concerns aptly:
"As we know, error messages are important. Especially error messages generated by database software we want to inject. This, is useful for obtaining information about table structures that can be a real time-saver for attackers. If the right information is available, attackers do not have to guess database tables and fields anymore, nor having to brute force them. I have never seen so much information regarding the site's structure, used database, table names, drivers, server setup and other information useful for attackers that those of ColdFusion. It almost says: Please Hack Me!"
As I can't presume to improve on this stance, I won't. Well said.

Next, a developer's take on the issue from Joshua Cyr, who has declared it Check Your Error Output Day. Joshua highlights two key points:
1) Do NOT enable the robust errors setting in CF Administrator.
2) Don't forget to remove debugging dump code.
Heed this advice, ColdFusion fans!

One destination that all "secure" ColdFusion paths should lead to is the use of cfqueryparam. Ronald spells it out well mid way through his discussion, and so do the following resources:
coldfusionjedi
Coldfusion Muse

Further excellent resources for ColdFusion security issues:
SQL Injection Part II (Make Sure You Are Sitting Down)
12Robots.com

In closing, security and convenience needn't always be at odds, but often allowing for both requires a higher state of awareness for developers and end-users. Let common sense prevail; perhaps it'll give me less to do in the way of research. ;-)

del.icio.us | digg

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:58:50 +0000

One of the things that I have always not understood about HIPAA is what teeth do these regulations have and who is going to enforce them. There are plenty of firms willing to take your money and rubber stamp you HIPAA compliant, but who is going to say your not HIPAA compliant and why should you care. Finally reading this article in Security Bytes it looks like the federal government has stepped up to enforce HIPAA and have put some bite behind the bark. Providence Health in Seattle was fined 100k by US Department of Heath and Human Services for losing data containing patients information.

I say good for the HHS! A few well publicized fines where people had to pay real money will go further in getting people to take HIPAA seriously than all of the other dog barking and warnings that have taken place to date. The same goes for other regulations and statues on compliance as well. Lets hear about some financial sanctions or penalties around PCI and you will see a drastic rise in compliance there as well. Rules and regulations without enforcement serve no purpose at all and hurt more than they help.

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:01:24 +0000

OSF DATA LOSS db a valuable resource

Wed, 16 Jul 2008 13:10:00 +0000

As a longtime reader of the The Data Breach Blog, I was pleased to learn that care and feeding of Attrition.org's Data Loss Database has been assumed by the Open Security Foundation. Check out the DATA LOSS db at your earliest convenience, join, and support.
From the site, the OSF Data Loss database is a "research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, with the move to OSF, and relies on the contributions of users like you to grow and prune the database."
Do your best not to find yourself an entry in this database. ;-)

Speaking of Security Podcast #113

Sun, 13 Jul 2008 20:00:00 +0000

Click to Download/Listen (11:11)

With users wanting more real-time, self-service options, many organizations have migrated their services to remote channels including the Internet or Call Centers but these services and benefits come with added risks of fraud and identity theft. Knowledge-based authentication (KBA) offers customers the opportunity to benefit from remote interactions with stronger security as well as the added convenience of real-time authentication. Learn more in this week's podcast. In other news, we bid a fond farewell to co-host Matt Buckley.

Techie Travels- What Do YOU Look for in a Hotel Room?

Tue, 08 Jul 2008 00:05:00 +0000

I’m on the road… again. After some really great (and a few really crappy) hotel stays in the past few weeks, I started thinking about ‘what makes a good hotel’.

Recently I spent one week at a customer in a hotel where the staff obviously was hosting nightly parties down at my end of the hall- from about 2:00am - 5:30am each (yes- every) night I was there. The hotel I’m in tonight has no elevator. Yeah. @#$! That’s what I said. Twice in the past 10 days or so, I’ve been in really nice resort-hotels, so I’ve had the whole spectrum this month and last.

For me, sometimes it’s the little things… I really like it when hotels have conditioner, instead of just shampoo. I like space- so a nice work area is important to me. Of course a big soft bed and plenty-o-pillows is a key ingredient. A whirlpool or jetted tub (in the room) is icing on the cake. Exercise rooms are good, although half the time I’m too tired when traveling or have work to do (I know- excuses, excuses ;). Convenience is also a biggie- I had a run in Las Vegas where *every* room I had felt like it was a 10-minute walk just to the elevators. When I’m on-site for a customer, I also love the hotels with the do-it-yourself breakfast- I can go when I want and grab something before heading out for the day. I love the little lighted makeup mirrors… and of course a full-length for checking out the wardrobe. Plugs! I love lots of plugs. I like hotels that secure the outer doors early and require a key for access to various parts of the building.

Sometimes it’s the bigger things… Hotels with outside-facing doors make me paranoid, and obviously those in neighborhoods where your rims may disappear is not good either. I hate hotels that MAKE me valet park my car. It’s my car, my keys, I park it and I keep the keys- that’s my rule. (My Dad taught me a little trick of telling the valet boys that it’s a company car and against corporate policy for valet- it works!)

Traveling techies sometimes have unique needs or requests, and many of the ‘good list’ is universal for all traveler types.

So, those are some items from my little list… What about you- what do YOU look for in a good hotel?

# # #

Petroleum Wholesale charged with exposing customers

Sun, 22 Jun 2008 17:58:23 +0000

Technorati Tag: Security Breach

Date Reported:
6/19/08

Organization:
Petroleum Wholesale, L. P.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information"

Breach Description:
”HOUSTON -- Petroleum Wholesale, which operated Sunmart Travel Centers and Convenience Stores in 10 states, was charged by the Texas Attorney General of improperly disposing of customer records"

Reference URL:
The Pasadena Citizen
KHOU-TV Channel 11 News
Convenience Store News

Report Credit:
The Pasadena Citizen

Response:
From the online sources cited above:

HOUSTON - Texas Attorney General Greg Abbott today charged Houston-based Petroleum Wholesale, L.P., which operates Sunmart Travel Centers & Convenience Stores in 10 states, for exposing its customers to identity theft.

According to the state's enforcement action, Petroleum Wholesale improperly discarded customer records containing sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information.

"This defendant is charged with failing to protect its customers' sensitive information," Attorney General Abbott said.

"With more than 20,000 Texas victims each year, identity theft remains one of the nation's fastest-growing crimes. The Office of the Attorney General will continue working to protect Texans from identity theft."

Investigators with the Office of the Attorney General (OAG) discovered that the company improperly discarded hundreds of customer records in a publicly-accessible trash container outside its former headquarters.
[Evan] According to information posted on the Petroleum Wholesale web site, "Petroleum Wholesale services more than 350 retail locations throughout ten states." This breach has the potential to affect many, many people.

According to investigators, the records included sales receipts with customers' names and full credit or debit card numbers with expiration dates.

The records also included returned checks, along with forms listing customers' names, banking routing numbers, driver's license and Social Security numbers.

The defendant is charged with violating the 2005 Identity Theft Enforcement and Protection Act, which requires the safeguarding and proper destruction of clients' sensitive personal information.

State law establishes penalties of up to $50,000 per violation of the Act.
[Evan] This could add up quick. What's a better business decision, a few hundred bucks for a cross-cut shredder and accompanying procedures, or fifty grand per incident? Although, I am not sure that a shredder and procedures are not all that is needed in Petroleum Wholesale's information security program (assuming one exists).

The OAG also charged the company with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information.

The law provides for civil penalties of up to $500 for each abandoned record.

For more information about preventing identity theft, contact the Office of the Attorney General at (800) 252-8011 or visit the agency's Web site at www.texasattorneygeneral.gov.

style="font-weight: bold;">Commentary:
One question that isn't clear from the news reports is whether or not this was a common practice at Petroleum Wholesale. Organizations should take heed of this case. I think actions taken by Mr. Abbott and other State Attorney Generals will only become more frequent.

I look forward to more information in the future about this case.

Past Breaches:
Unknown

Citibank ATM Server Allegedly Hacked, Leading to Cash Machine Crime Spree

Wed, 18 Jun 2008 19:45:00 +0000

A Citibank server in charge of processing ATM withdrawals from 7-Eleven convenience stores suffered a breach last year, according to federal prosecutors, who say two New York men used the stolen account numbers and PIN codes to withdraw at least $750,000 in cold, hard cash.

Tucson area Domino's Pizza customer information exposed

Wed, 18 Jun 2008 06:43:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time? I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons. 24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up. I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals. I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation? Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.). I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it. I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify. The impact to the business (or organization) is not usually as easy to measure. In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc. Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information. Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach. He makes a very good argument regarding accountability in credit card breaches. My responses to him are included.

Past Breaches:
Unknown

Laptop stolen from a Quest Diagnostics employee

Tue, 17 Jun 2008 08:09:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Quest Diagnostics

Contractor/Consultant/Branch:
None

Victims:
Patients*

*assumed

Number Affected:
Unknown

Types of Data:
"name, address, and social security number"

Breach Description:
On May 1, 2008 a Quest Diagnostics employee's password protected laptop computer, which contained certain personally identifiable information, was stolen.

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

This letter is being sent to you in accordance with the requirements of the Maryland Personal Information Protection Act to advise you of the breach of security of personal data of certain Maryland residents.

The breach arose out of the theft of a password protected laptop computer of one of our employees on May 1, 2008.
[Evan] Really, what does the "password protected" mention have to do with anything other than to convince someone into thinking that the laptop was more protected than it actually is/was? Password protection (alone) is just not adequate for sensitive confidential information, unless of course an organization has deemed the risk to be not significant enough to warrant further protection such as encryption coupled with strong authentication. I presume that the laptop was not protected with encryption due to the fact that there is no mention of it. To me, the risk seems significant enough.

The personal data includes the name, address and social security number

At this time we have no reason to believe this incident will lead to fraudulent credit applications or other identity theft crimes.
[Evan] Yep, but the company DID unnecessarily increase the risk of this happening to someone now and in the future.

Nevertheless, because the laptop which includes this information cannot be located, we want to notify you about this incident.

To further reduce the risk of any harm to you we are offering you a credit monitoring product to identify any potential misuse of your personal information.

Quest Diagnostics takes the issue of safeguarding private information very seriously. For this reason, our data privacy and security policies incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information.
[Evan] Nice! This statement sounds very impressive and uses some common information security best practices lingo. Did any of these "data privacy and security policies" that "incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information" protect the information on the laptop? Do any of these things include restrictions on confidential information stored on mobile devices or encryption of data at rest?

We deeply regret any inconvenience caused by this incident and appreciate your understanding.

If you have any questions, please feel free to call Lisa Mullaly, Information Technology Compliance Director at (800)877-8824, extension 6147 at your convenience.

Commentary:
I may have been a little harsh in my comments, but I think I was justified. Breaches like these are so preventable. Hey, there's another best practice security lingo term, preventative controls. This breach only affected three Maryland residents, according to the breach notification. It is not known if the breach only affects these three people.

Past Breaches:
Unknown