Please unsubcribe our email address - [EMAIL PROTECTED] Thank very much.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: 15 May 2002 20:43 To: [EMAIL PROTECTED] Subject: cobalt-security digest, Vol 1 #783 - 9 msgs Send cobalt-security mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://list.cobalt.com/mailman/listinfo/cobalt-security or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of cobalt-security digest..." Today's Topics: 1. Credit card (duncan gray) 2. Re: Credit cards (Jeff Lasman) 3. Re: Credit card (Gerald Waugh) 4. Re: Credit cards (Gerald Waugh) 5. Re: Credit card (Steve Werby) 6. Re: Credit card (Jeff Lasman) 7. Re: Credit card (E.B. Dreger) 8. Re[2]: [cobalt-security] Credit card (Eugene Crosser) 9. Re: Credit cards (Gerald Waugh) --__--__-- Message: 1 Date: Wed, 15 May 2002 00:29:58 -0700 (PDT) From: duncan gray <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [cobalt-security] Credit card Reply-To: [EMAIL PROTECTED] --0-83946963-1021447798=:12335 Content-Type: text/plain; charset=us-ascii So really the main issue is getting the information off the server as soon as possible, so if for some reason you were hacked, they only get 1 number, or none as youve already removed them. Do the credit card companies say you cant do this sort of thing? is it chiseled out in stone somewhere? I'm sure holding CC details on the server would be more secure then the office next door, where all some one has to do is brake a window(ok yeah just an example), take the reciepts. etc. Or just look over someones shoulder when they are making a payment somewhere. D. --------------------------------- Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience --0-83946963-1021447798=:12335 Content-Type: text/html; charset=us-ascii <P>So really the main issue is getting the information off the server as soon as possible, so if for some reason you were hacked, they only get 1 number, or none as youve already removed them. Do the credit card companies say you cant do this sort of thing? is it chiseled out in stone somewhere? I'm sure holding CC details on the server would be more secure then the office next door, where all some one has to do is brake a window(ok yeah just an example), take the reciepts. etc. Or just look over someones shoulder when they are making a payment somewhere.</P> <P>D.</P><p><br><hr size=1><b>Do You Yahoo!?</b><br> <a href="http://rd.yahoo.com/welcome/*http://launch.yahoo.com";>LAUNCH</a> - Your Yahoo! Music Experience --0-83946963-1021447798=:12335-- --__--__-- Message: 2 Date: Wed, 15 May 2002 00:00:41 -0700 From: Jeff Lasman <[EMAIL PROTECTED]> Organization: nobaloney.net To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit cards Reply-To: [EMAIL PROTECTED] "E.B. Dreger" wrote: > I'm writing something that even zeroes RAM where CC info was kept > after processing. But, then, I'm paranoid. (And, no, that's not > a plug. We have no current plans to sell the software in > question.) Eddy, there's a commercial package available that does that; it's not expensive. You can read about it at "http://www.jetico.sci.fi/"; and no, I'm not connected with them in any way except that I use their products. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 --__--__-- Message: 3 From: Gerald Waugh <[EMAIL PROTECTED]> Organization: Front Street Networks LLC To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit card Date: Wed, 15 May 2002 05:27:10 -0400 Reply-To: [EMAIL PROTECTED] On Wednesday 15 May 2002 03:29 am, duncan gray wrote: > So really the main issue is getting the information off the server as soon > as possible, so if for some reason you were hacked, they only get 1 number, > or none as youve already removed them. Do the credit card companies say > you cant do this sort of thing? is it chiseled out in stone somewhere? I'm > sure holding CC details on the server would be more secure then the office > next door, where all some one has to do is brake a window(ok yeah just an > example), take the reciepts. etc. Or just look over someones shoulder when > they are making a payment somewhere. Don't put unencrypted credit-card info on a server at all. There are goons that have full time jobs looking for dredit card numbers (and the info that goes with them) on servers. gnupg is not that difficult to install. It's worth the effort. -- Gerald Waugh http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699 Front Street Networks LLC | SOHO Networks & Web Site Hosting 229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States --__--__-- Message: 4 From: Gerald Waugh <[EMAIL PROTECTED]> Organization: Front Street Networks LLC To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit cards Date: Wed, 15 May 2002 05:29:23 -0400 Reply-To: [EMAIL PROTECTED] On Wednesday 15 May 2002 03:00 am, Jeff Lasman wrote: > "E.B. Dreger" wrote: > > I'm writing something that even zeroes RAM where CC info was kept > > after processing. But, then, I'm paranoid. (And, no, that's not > > a plug. We have no current plans to sell the software in > > question.) > > Eddy, there's a commercial package available that does that; it's not > expensive. You can read about it at "http://www.jetico.sci.fi/"; and no, > I'm not connected with them in any way except that I use their products. > We process the card in RAM, then wipe the arrays. I have seen processing software that writes the data to a file, then deletes the file. I stay away from that. -- Gerald Waugh http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699 Front Street Networks LLC | SOHO Networks & Web Site Hosting 229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States --__--__-- Message: 5 From: "Steve Werby" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] Credit card Date: Wed, 15 May 2002 09:30:14 -0400 Reply-To: [EMAIL PROTECTED] "duncan gray" <[EMAIL PROTECTED]> wrote: > So really the main issue is getting the information off the server > as soon as possible, so if for some reason you were hacked, > they only get 1 number, or none as youve already removed them. I wouldn't even want to risk someone accessing a single credit card number. If someone hacks into the server they'll be able to access all of the credit card info you store in plain text, regardless of how long the data stays on the drive. All that's needed is a process that monitors for new credit card info and records it or emails it somewhere. Sure, the hacker might only be able to get info. from one transaction at a time, but that isn't going to make you look any better when you're hacked and the info. is stolen. > I'm sure holding CC details on the server would be more secure > then the office next door, where all some one has to do is brake > a window(ok yeah just an example), take the reciepts. etc. Or > just look over someones shoulder when they are making a > payment somewhere. Well, if your server is connected to the Internet, then it's possible for an intruder to be located anywhere on the planet. If the credit card info. is in your office the potential intruders are a little more geographically restricted. <g> Seriously, in any case it's advisable to take the proper precautions. If you process the credit card info. yourself then it's advisable to encrypt it using gnupg or pgp and either keep no paper/electronic trail of unencrypted info. or keep it very, very secure and definitely off your server. Otherwise it's worth considering using a reputable 3rd party credit card processing company so you never have or need to have the credit card info. yourself. My 2 cents. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ --__--__-- Message: 6 Date: Wed, 15 May 2002 06:44:16 -0700 From: Jeff Lasman <[EMAIL PROTECTED]> Organization: nobaloney.net To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit card Reply-To: [EMAIL PROTECTED] duncan gray wrote: > Do the credit card > companies say you cant do this sort of thing? is it chiseled out in > stone somewhere? At least as of yet the Credit Card issuers have NOT told us HOW to secure our credit card information, though some are beginning to ASK. > I'm sure holding CC details on the server would be > more secure then the office next door, where all some one has to do is > brake a window(ok yeah just an example), take the reciepts. etc. While we use a third-party gateway to process credit cards, we do end up with some credit card numbers. They're secured in a virtual drive created by a jetico.sci.fi (see my previous post in this thread), on a protected system behind a firewall. > Or just look over someones shoulder when they are making a payment > somewhere. It's not really about physical security so much as risk and perceived security. I stand by statements I've been making for years that your credit card is more secore (in general) on the 'net than it is in a restaurant when you give it to that 20yo waiter/waitress who just started working a the local coffee check with no background check. But I still don't want to end up on the six-o'clock news. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 --__--__-- Message: 7 Date: Wed, 15 May 2002 14:03:29 +0000 (GMT) From: "E.B. Dreger" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit card Reply-To: [EMAIL PROTECTED] dg> Date: Wed, 15 May 2002 00:29:58 -0700 (PDT) dg> From: duncan gray dg> So really the main issue is getting the information off the dg> server as soon as possible, so if for some reason you were dg> hacked, they only get 1 number, or none as youve already dg> removed them. Do the credit card companies say you cant do No. Encrypt the info using asymmetric encryption or a hybrid (random symmetric key, with key asymmetrically encrypted, a la PGP/GnuPG/SSL) approach. Store info on a _separate_ bastion server. Then, if someone cracks the webserver, they cannot decrypt existing records. The encrypt/decrypt keys are different, and always should be transmitted via a secure channel. Note that if someone cracks the webserver they can still install trojans, so you're not in the clear re new CC info. And if they scan memory pages or swap partitions for certain regexps, such as "([0-9]{4}[\ -]?){4}", you have a problem. dg> this sort of thing? is it chiseled out in stone somewhere? The lower the risk, the friendlier the merchant provider will be. Anger one if you dare. Tell them you're storing unencrypted info, and see what happens. As Gerald (others?) pointed out, it's not much harder to do it better... and, I maintain, not too difficult to do it right. If one cuts corners on something as basic as encryption, what else is lacking? dg> I'm sure holding CC details on the server would be more dg> secure then the office next door, where all some one has to dg> do is brake a window(ok yeah just an example), take the dg> reciepts. etc. Or just look over someones shoulder when they dg> are making a payment somewhere. How many x86-based RaQ admins running BIND-8.2.2p*? How many type "the keys to the kingdom" over clear text on a shared ethernet segment? How many use short passwords that are easily guessable via dictionary-based attacks? Given clueful administration, the server is more secure. But that's a rather large assumption. What's really scary is how many people don't even know the issues at hand... -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. --__--__-- Message: 8 Date: Thu, 16 May 2002 00:57:16 +0400 (MSD) From: Eugene Crosser <[EMAIL PROTECTED]> Subject: Re[2]: [cobalt-security] Credit card To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] On Wed, 15 May 2002 09:30:14 -0400 Steve Werby <[EMAIL PROTECTED]> wrote: > "duncan gray" <[EMAIL PROTECTED]> wrote: > > So really the main issue is getting the information off the server > > as soon as possible, so if for some reason you were hacked, > > they only get 1 number, or none as youve already removed them. > > I wouldn't even want to risk someone accessing a single credit card > number. > If someone hacks into the server they'll be able to access all of the > credit > card info you store in plain text, regardless of how long the data stays > on > the drive. All that's needed is a process that monitors for new credit > card > info and records it or emails it somewhere. Sure, the hacker might only > be > able to get info. from one transaction at a time, but that isn't going to > make you look any better when you're hacked and the info. is stolen. > > > I'm sure holding CC details on the server would be more secure > > then the office next door, where all some one has to do is brake > > a window(ok yeah just an example), take the reciepts. etc. Or > > just look over someones shoulder when they are making a > > payment somewhere. > > Well, if your server is connected to the Internet, then it's possible > for an > intruder to be located anywhere on the planet. If the credit card info. > is > in your office the potential intruders are a little more geographically > restricted. <g> Seriously, in any case it's advisable to take the > proper > precautions. If you process the credit card info. yourself then it's > advisable to encrypt it using gnupg or pgp and either keep no > paper/electronic trail of unencrypted info. or keep it very, very secure > and > definitely off your server. Otherwise it's worth considering using a > reputable 3rd party credit card processing company so you never have or > need > to have the credit card info. yourself. My 2 cents. We do the credit card processing this way: inside the CGI, immdiately encrypt the data with public key. Corresponding private key does not exist on this server. Encrypted data is sent over UUCP (crossover serial cable) to a machine that is not connected to the Internet at all. There the card data is decrypted and used for payments (over telephone line in our case). Practically the only way the data can be intercepted without physical access is by compromizing the CGI script. Of course we implemented all this before the internet boom, when people where serious about security... Eugene --__--__-- Message: 9 From: Gerald Waugh <[EMAIL PROTECTED]> Organization: Front Street Networks LLC To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Credit cards Date: Tue, 14 May 2002 11:05:41 -0400 Reply-To: [EMAIL PROTECTED] On Tuesday 14 May 2002 10:28 am, Jeff Lasman wrote: > duncan gray wrote: > > I'm guessing that you would need something along this > > line. > > > > A SSL certificate for encrypting server - client > > communication. > > Encrypted DB. > > A firewall. > > > > Is there anything else? > > A secure way of getting the details off the system and into the hands of > someone. Either a secure (pgp/gpg) email system, OR a procedure for > sending the information to an email account on the box that you read > through webmail over a secure connection, or some other way of reading > the credit card information over a secure connection. No *don't* store the info in a mail spool on the server unencrypted. > And how about a procedure in place to get those credit card numbers OFF > the system on a regular basis so if it is hacked, you won't end up on > the six-o'clock news. Again store and pop (deleting from the server) encrypted. When they get to the client, they are still safe as they are encrypted -- Gerald Waugh http://www.frontstreetnetworks.com :: Phone. [011] 203.785.0699 Front Street Networks LLC | SOHO Networks & Web Site Hosting 229 Front Street, Ste. #C, New Haven, CT, 06513-3203 United States --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
