Home page logo
/

basics logo Security Basics mailing list archives

Re: Poor Man's E-Commerce
From: John Morrison <john.morrison101 () googlemail com>
Date: Thu, 8 Apr 2010 12:08:32 +0100

Chester,

The security sounds good for the digital data. My understanding of the
current PCI rules is that it also covers paper data. How do you
control the security, and secure disposal, of that data?

Would it be possible to load the data that you have retrieved from the
external server into an encrypted database. For example, your normal
customer and sales database? This would avoid the additional processes
and risks of holding the data on paper.

On 7 April 2010 18:02, Chester Enright <amunchet () gmail com> wrote:
Recently, I was approached by our aftermarket department to build a
way to retrieve order information from our website.

Apparently, other companies in our industry were satisfied to receive
user information (including credit card information) in an email,
print it out, and delete the email.

We felt this was an unacceptable security risk.

The proposed solution is this:
 - The user enters his information on an SSL protected form (despite
the fact that SSL can be broken) on the external web server

 - This form's contents are encrypted in memory (via use of passing
them to an exec call to gpg from the php file...nothing plaintext is
written to disk).
    * The private key is not stored on the external server, but the
signed public key is, so the external server can encrypt, but not
decrypt

 - This encrypted file is written to the disk in a given directory.

 - Our internal server runs a CRON job every hour to retrieve the
contents of this directory; this directory is then wiped in accordance
to DoD standards
    * The CRON script runs a SHA1 hash check on the PHP files to
ensure they have not been tampered with.  If they have, they alert to
admin immediately.

 - On our internal server, the files are decrypted, printed, and then
wiped again according to DoD standards.

Having designed this myself, I don't see any particularly glaring
security holes.

I would appreciate critiques and insights that suggest otherwise.
Is this the best way to handle this sort of information hand off?  I
personally feel the risk is minimal, due to the encryption and short
period of time the information lives on an external machine.

Does anyone have experience doing this sort of thing?  How would one
break into this system to steal credit card information?

Thanks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]