Author Archive

FTP Server Security Flaw Discovered

Posted by on Monday, 1 November, 2010

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. “Globbing” is a pervasive function that permits the use of wildcard patterns to identify file names. It’s one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001.  That feature – called GLOB_LIMIT – was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system’s main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place – not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client’s data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it’s important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

PCI-DSS 2.0

Posted by on Wednesday, 6 October, 2010

According to a survey of 155 Qualified Security Assessors (QSAs) conducted by the Ponemon Institute, 60 percent of retailers lack the budgets to be fully compliant with the PCI DSS standards. As an example, the annual audit cost for a major retailer can be as high as $225,000.

According to the Ponemon Institute survey, restricting access to card data on a “need-to-know basis” (PCI DSS Requirement #7) is still the most important PCI DSS requirement, but also the most difficult to achieve.

QSAs reported that the three most common business reasons for storing cardholder data are:

  • Handling charge-backs
  • Providing customer service
  • Processing recurring subscriptions

In order to service these customer’s requirements, the credit card data must still be available for the various software applications. These industry processes require merchants to implement methods of protecting cardholders from theft.

Encryption the Best Technology

QSAs find the most significant threats to cardholder data are in merchant networks and databases. They believe firewalls, encryption for data at rest, and encryption for data in motion are the top three most effective technologies for achieving compliance.

Sixty percent of QSAs believe encryption is the best means to protect card data end-to-end. Forty-one percent of QSAs say that controlling access to encryption keys is the most difficult management task their clients face.

Getting a Handle on PCI Issues

So what’s the best way to both satisfy the requirements of PCI and still make secured data transparent to applications?

The strategy QSAs recommend is to lock down the cardholder data with technologies that:

  1. Restrict the access
  2. Encrypt the data
  3. Manage and control the encryption keys

These recommendations point to a need to make encryption and encryption-key access an integral part of the overall information system.

But too many organizations use ad hoc encryption/de-encryption utilities that slow processing, and often leave de-encrypted data in the open. In addition, without any integrated encryption key management process, there is really no security at all.  Unsecured encryption keys, just like data, can be lost, stolen, and misused. Access to those keys should be managed as an integral part of the overall security of the operating system.

The point is that the QSA’s three recommendations go beyond the basic requirements of the PCI standard to actually secure the credit card data at the host – and to ensure that the data isn’t misused when the data is at rest or while being transferred.

Linoma Software’s data encryption suite Crypto Complete successfully addresses these QSA PCI requirements by providing data encryption and key management services that can be integrated seamlessly with IBM i (iSeries) applications.

Building on PCI-DSS V2

Industry security analysts will still complain that PCI-DSS needs to be a real security standard aimed at protecting card holder data, but Version 2.0 doesn’t provide that value.  Consequently, we need to analyze what the QSAs are recommending, and then build on PCI-DSS Version 2.0 to implement the best possible data security for our customers’ credit card data.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Cyber Threats: Beyond Entertainment Value!

Posted by on Tuesday, 7 September, 2010

On June 8th, 2010 the National Public Radio (NPR) broadcast a debate by the public charity Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated.” The show’s format is based on the traditional Oxford-style debate, with one side proposing and the other side opposing a sharply-framed motion.

The broadcast pitted Marc Rotenberg (executive director of the Electronic Privacy Information Center) and Bruce Schneier, (a security technologist), against Jonathan Zittrain, (a Harvard Law School professor), and the former U.S. Director of National Intelligence, Mike McConnell. Zittrain and McConnell rolled out the heavy security artillery, describing the threats and touting facts and figures, while Zittrain and Schneier pooh-poohed the seriousness of the threat, and tried to cast suspicion onto the U.S. government’s C.I.A., claiming that they just want to spy on us.

The debate was both entertaining and informative, but it also shed light on an unusual dichotomy in our public subconscious regarding cyber security: We – as denizens of computer technology – are as wary as Jason Bourne about where, exactly, our cyber security threats are coming from. Are they coming from real terrorists and enemy spies? Is there really some vast criminal conspiracy afloat? Or are these threats perhaps coming from within the very ranks of government itself?  Who do you really trust and why?

Even the term “cyber” is a subconscious mnemonic to the old Marvel Comics super-villain of the same name, and enemy of Wolverine. Cyber, (alias Silas Burr) in the comic book, was once an agent of the Pinkerton Detective Service before he turned into a criminal mastermind. Why wouldn’t we be suspicious of government representatives telling us that we’re engaged in a kind of comic book war?

But data security is obviously not an issue about comic book super-villains, or government conspiracies. For example, in this same month that IQ2US was airing their debate many of us were receiving notices about a class action settlement. Countrywide Financial – the behemoth that sold mortgages during the real estate bubble and which is now owned by BofA – has begun the process of contacting customers whose identities may have been stolen when their records were pilfered by an employee.

No, it was not Jason Bourne nor Silas Burr, but a former Countrywide senior financial advisor who wanted to sell the names, SS#s, credit information, employment history, and other personal information of mortgage applicants.

The U.S. District Court’s remedy in the settlement will be to require Countrywide to provide free credit monitoring of all those involved in the class action suite for a period of 2 years, along with a potential liability against Countrywide of up to $50,000 for each incident of identity theft.

Isn’t it time we, in our organizations, got serious about data encryption? Shouldn’t we be stepping into this battlefield to fight back with a secure, managed file transfer system between our workstations and servers?

The cyber wars of comic books may populate our imagination, but our company’s challenges are much more real. And if we’re not mindful to use the right tools in our IT departments, we may all be faced with a customer base of angry Jason Bourne’s who have lost their identities through our security lapses.

(Listen or watch the televised debate produced by Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated” by clicking here.)

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Who Insures the Insurer?

Posted by on Monday, 2 August, 2010

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  It’s one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised?  As absurd as it may seem at first glance, it’s really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record.  This would mean that Anthem Blue Cross’s breach last month created a liability as great as $40M.

Moreover, there’s a ripple effect to organizations that do business with insurance companies that suffer such an information security breach.  Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission.  Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers.  And by the time these organizations realize their vulnerability, it’s often too late.  These companies are often performing these FTP transfers below the radar of their IT departments.  How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left “in the open” on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it’s subject to theft or secondary security flaws. Insurance agents – whose jobs are to facilitate the processing of the data with their insurance providers – can also suffer from such breaches. The loss of an agent’s laptop – through theft, accident, or routine use of USB thumb-drives – poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database.  Linoma’s CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company’s information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual’s personal computer.  By removing FTP access to the data by any employee’s PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring.  Linoma’s GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution.  But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs?  The real answer is IT itself.  And helping IT achieve a better result will be the subject of this blog over the next few months.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved