Last weekend I got a letter in the mail from my credit card company.  It stated the following:

"A merchant accepting the American Express Card for payment detected unauthorized access to its data files.  At this time we beleive the affected data included your American Express Card account information and personal contact information"

The letter went on to say additional fraud alerts have been added to my account and suggested that I montitor my credit closely for the next few months.  The thing it didn't tell me was WHO.   Which merchant had the security breach?  So I called and asked...  I wasn't really expecting AMEX to tell me who it was, but suprisingly they did.

Turns out that the Westin Bonaventure hotel in Los Angeles, one of the official Adobe MAX 2009 hotels, was the culprit.  After plugging a quick search into Google I found a plethora of articles about the security breach.  According to one article from esecurityplanet.com:

"The hotel's point-of-sale system (POS) for processing debit and credit card transactions "may have been illegally accessed by an outside hacker," hotel officials said in a statement, adding that they are working with law enforcement agencies and major credit card companies to investigate the likely breach.

So far, Westin Bonaventure officials have isolated the source of the security breach to four bars and eateries on the property, as well as the valet parking station. The venues in question include the Lake View Bistro, the Lobby Court Bar, the Bonavista Lounge, and LA Prime.

The data possibly compromised by hackers includes customers' names, credit and debit card numbers, as well as card expiration dates."

The Westin Bonaventure has also issued a statement about it.

This is just another reminder that PCI DSS is nothing to sneeze at, and that physical security is important too.

Posting this for consumption by Google, so that when this happens to me again I can search Google and find the answer on my own blog. Then I feel silly. Then I am happy I solved my problem.

NetDirect is a Java based VPN client that requires a the installation of a little ActiveX control and then runs in the systray.

The Problem

I have two computers running this virtually identical Vista configurations. One works, one doesn't.

I'm on Vista Ultimate, and had tried getting NetDirect to work in both Firefox. Essentially, I got to the point where a little popup window opens up, I can see the NetDirect icon in the systray, and the client appears to be starting up. Then I get a long pause in feedback and an error. The output I see in the popup is as follows:

Downloading zip file...
Extracting zip file...
Loading library...
NetDirect: Initializing...
[[[ long pause here ]]]
NetDirect: TapAdapter IP not Assigned
NetDirect: Stopping...
NetDirect: Stopped!

At this point the window closes and the systray icon goes away. I tried a number of things including starting the browser "as Administrator" and also had searched Google for answers without any luck.

The Solution

The problem may have been due tot he fact that I already had installed (months earlier) OpenVPN to use a different client's VPN. As I was hunting around the system for the "TapAdapter" mentioned in the error message, I found a start menu option under OpenVPN that said "Delete ALL TAP-Win32 virtual ethernet adapters". Woah - that looked promising!

So I ran the bat file, it deleted some stuff, then I tried starting up the NetDirect connection again. Wham! It worked! Problem solved!

Note: I also started Firefox "As Administrator" when first installing the NetDirect client (it downloads and installs a couple of things). This may or may not have mattered.

As posted to Slashdot today, the source code for an algorithm has been posted that promises to find MD5 collisions, making it even more important to add some salt to any use of hash().

I just noted today that the login screen for CFMX 6 and 7 includes a version number and patch level. Using this information an attacker can readily identify unpatched machines which are ripe for attack. This is yet another reason to protect your entire CFIDE directory from prying eyes, and perhaps it would be a good idea for Macromedia to remove this information from the administrator login screen in future versions.

So I just returned from the First Annual Software Security Summit and have security on the brain. I thought I'd post about a little something that's always bothered me - weak protection of passwords in web applications. Many web applications don't handle much sensitive data. If someone breaks into the (fictional) web application for my mother's quilting guild, quilt-o-rama.com, no-one's going to care that all their quilting patterns have been stolen. They might even care if someone gets a list of all the guild members. However, there is one bit of data stored in this web application that's of value - their passwords. Let's face it, people don't use different passwords. They should, but they don't. That means passwords become: A globally shared key that opens all doors. Now you may be saying to yourself, "But Cameron, that's the user's fault that they use the same password for everything.". Sure, some responsibility does fall on the user. But we all know perfectly well that most people aren't going to choose a unique password if they can get away with it. Therefore we have to be willing to accept some responsibility when protecting our user's passwords. Since we know people are going to do everything in their power to choose an easy to remember (weak) password, we should protect it. This responsibility falls on us - the application developers. We have become custodians of a huge library of personal keys. Keys that might unlock data at banks, home computers, offices, government records, and quilt-o-rama.com - for most users the key is the same (or very similar) for all of these. Attackers are always looking for the weakest point to attack. Do you have a site that stores passwords in plaintext? Do you keep up with security bulletins? Do you think no-one cares about breaking into your little boring site? Congratulations, you are the weakest link (goodbye)! In security circles, this is commonly referred to as "key management". Your bank may encrypt your account data six ways from Sunday, but if the encryption key is easy for an attacker to discover, the encryption becomes meaningless. The data might as well have been in plain text all along. People go to all sorts of lengths when it comes to key management to make sure that the same encryption key isn't used in too many places, that it's not easy to discover, and that it's routinely rotated in case an old key is discovered at some point. The concept of password management is no different. It's a key, not an encryption key - but a key still. It unlocks information, but unlike encryption keys the same password is often used everywhere, very rarely rotated, and often not very well protected. And your web application's users have shared their keys with you. They have trusted you to keep it safe for them. You are holding valuable keys. Are you doing your part to protect your user's bank accounts, businesses, and other personal information?

This week I will be attending the First Annual Software Security Summit, a conference focused on writing secure software and understanding secure software architectures. If anyone else in the Macromedia/ColdFusion community is attending, shoot me an email and I'll keep an eye out for you.

A post from Netcraft entitled Non-Microsoft Browsers Have Spoofing Flaw shows that Firefox isn't immune to security flaws either. This flaw can be used by phishers to spoof a URL by inserting Unicode characters into it. Read the article for more.

Last Thursday, CNN.com ran a story on a security threat to wireless users called an Evil Twin. Essentially, all an attacker does is give her AP an identical SSID as the legitimate AP, drop it within proximity of wireless users, and wait for people to connect.

The end user has no idea that they are connecting to the wrong AP, and the attacker is able to conduct any number of attacks on the user including a man in the middle attack or simple packet capture.

Being seduced by an Evil Twin can be deterred by using WEP or WPA security, though there is still no guarantee that you are secure. WEP's been pretty well compromised and it's well accepted that WPA's days are also numbered.

Ultimately, the solution doesn't lie on the network layer, but on the data layer. If you really want to secure yourself, use something like ReefEdge's Dolphin. This software's an all in one wireless router/firewall with VPN capabilities. Place Dolphin on a machine between your wireless router and the rest of your network and it will regulate and secure access. From their site:

The Dolphin software transforms dedicated x86 hardware into a secure wireless gateway. Dolphin is ideal for a home environment or for IT professionals interested in exploring wireless network security. Dolphin supports secure authentication, IPSec security, and session roaming across subnets. Users authenticate with the wireless LAN using SSL and Dolphin enforces security policies based on type of user. Dolphin even supports encrypted access for trusted users via IPSec.

Cool stuff huh? With Dolphin, you can forget about WEP or WPA. The pipe to your network is regulated by a free enterprise strength security appliance that you can assemble yourself! Very cool stuff!

Note: As of this posting, the techzone.reefedge.com domain doesn't seem to be responding. Oh well, try try again.

So you think you do a good job with security. You spend precious time every week/month making sure that you download all the latest updates and patches for desktops, databases, and web servers. You encrypt customer information before you back it up and store it offsite in a guarded facility. You are the most paranoid programmer around, validating all form input, and detecting scripting attacks on the fly. Then you walk down the hall and see four boxes of chock full of customer data sitting outside the backdoor of your office. None of it is encrypted, none of it is guarded. It's just sitting there out in the open.

This photo was taken in the office building I work in every day. Those boxes have been sitting in a hallway outside of the back door of a mortgage banking company for the past THREE DAYS!!!!

You might also notice that the door is propped slightly open by a deadbolt that's extended. This door has been propped open in this way every day since I've worked in this building.

You are only as secure as your weakest point, and that point isn't always on the network.

Although many of these security issues are created by a Space Cadet in an Administrative Assistant's shoes, it's also common for software developers to focus on application security while neglecting physical security. While a developer may remember to lock her workstation every time she walks away from it, what about that debugging output sitting on her desk? Is there customer information on it? Did she leave it out on top of her desk at the end of the day when she went home? Should it be thrown away? Should it be shredded? Maybe it should be locked inside the desk. It's always a good idea to think about the physical security of data and not just the electronic security of it. Not enough of us do.