ofBiz and Sen. Feinstein

The recently discovered/fixed gap in ecommerce security got me wondering about
an article I just read. Sen. Dianne Feinstein is re-introducing a bill that is
supported by the United States Direct Marketing Association that would require
businesses to notify consumers in the event of a security breach.

http://www.dmnews.com/cms/dm-news/legal-privacy/39740.html

I'm not adverse to the bills actually, what I am adverse to is "How would I know
with an ofBiz installation that I've had a breach?"

I don't want the FBI coming after me because I failed to notify the Secret
Service because someone downloaded 10,001 names from our system.

In the case of the recent ecommerce gap, say on a live system, does anyone have
  some sort of trip wires that would tell them that someone is scraping data
they shouldn't? And more importantly, unusual requests that just look suspicious?

--
Walter

Much of this will depend on how you deploy OFBiz, ie the underlying  
software like operating systems and databases that it is running on,  
and to some extend the application server as well.

For OFBiz itself we don't have any trip-wires, and in fact unless you  
have a specific vulnerability in mind trip-wires in any system don't  
mean much.

What we do have in OFBiz is Visitor, Visit and ServerHit tracking.  
This allows you to see who did what and when.

-David


On Feb 5, 2007, at 9:52 AM, Walter Vaughan wrote:

There are basically two ways of getting data from a system, either the front
door or the back door.

Protecting the front door is done by maintaining strong password security.
Security could be increased by means of only allowing "privileged" accounts
access based on IP address.  Not a difficult thing to implement.  In
addition, use of web site audit logs could provide additional tracking.
Google Analytics is awesome.  A simple javascript tag could be added to the
admin headers to track who is going were and could even track by userId.

The back door hacking is something that can be difficult to track but a
starting place would be to implement intrusion detection software such as
tripwire, chkrootkit, or  rkhunter.  Most backdoor hacks install software
(aka root kits) on your server by exploting a security hole.  Once the
rootkit is installed, the hacker can typically do anything they want with
your data.  Getting these ID systems to work can become a fulltime job
however...

Intrusion Detection FAQ
http://www.sans.org/resources/idfaq/

Rootkit checkers
http://www.brunolinux.com/07-Security/Rootkit_Checkers.html

http://www.tripwire.com/



On 2/5/07, Walter Vaughan <[hidden email]> wrote:

Walter,

 From my own experience developing security alone (I did security alone, focused), it's already
hard enough. Well, ok, not all that tough. All-in-one-place convenience.

 From my own experience developing applications USING security modules, I'd say it's close to
impossible to build such "trip wires" or to totally secure an application. Well, ok, not that
impossible, you just need to do a complete security audit (professional help needed, ie it's not
very possible or cost-effective for non-techies to do this).

For this particular example of security breach (if everybody still remembers the example), it has
to do with a mistake in the USAGE of the security module. It's like I could make a "mistake"
programming security access to allow my janitor to enter my private office. That isn't a "mistake"
per se; it's the fact that I didn't include lock-outs for my safe deposit box inside my private
office that's the real mistake. The security module itself is not at fault.

Going back to my initial comment on building "trip wires", I'd say that it's more cost-effective
to correctly lock-down an application than to build "trip wires". Well, of course, given an
abundance of wealth, I wouldn't mind puttig in multiple layers of security (outer door, inner trip
wires, laser-zap-em-up devices, etc).

I'd say that bill could mean this: It is a requirement to conduct thorough security audit of your
internet applications.

In case you're wondering, the answer is No, many internet applications are not completely locked
down. You see security patches for MySQL, Mantis, MS, and most other internet apps. However, such
security updates are mainly to patch holes in the security module, not to correct misuse of the
security module inside the application layer.

OFBiz has a consistent security framework to facilitate a consistent "usage pattern" to facilitate
an easy security audit. Many applications that don't have such a consistent security framework
will require developers to chase down security holes all over the place.

Imagine a security system for doors that only requires pressing 10 buttons on a consistent panel;
my audit will only have 1 diagram of that panel for hundreds of doors. Now, imagine a security
system that requires button-pressing in some cases, lever-pulling in others, flying kicks,
head-banging, etc.

Jonathon

Walter Vaughan wrote:

From: "Jonathon -- Improov" <[hidden email]>
<snip>
> In case you're wondering, the answer is No, many internet applications are not completely locked
> down. You see security patches for MySQL, Mantis, MS, and most other internet apps. However, such
> security updates are mainly to patch holes in the security module, not to correct misuse of the
> security module inside the application layer.

A good example might been a recent message on PostGres ML urging to update, even to 7.3.18 (see attached)

Jacques

6.204.254 200.46.204.254 200.46.204.71 200.46.204.182 200.46.204.71 200.46.204.182 63.195.55.98

The PostgreSQL Global Development Group releases today a security update for
all recent PostgreSQL versions: minor versions 8.2.2, 8.1.7, 8.0.11, 7.4.16
and 7.3.18.  Because this patches a medium-risk security hole, all users are
urged to upgrade at the earliest opportunity.

This release fixes CVE-2007-0555 and CVE-2007-0556.  Both of these issues
allow an authenticated attacker with the permissions to run arbitrary SQL to
launch a denial-of-service attack or possibly read out random chunks of
memory.  Since attacks to require authenticated access, the security hole is
only considered medium risk.  You can read more about the issues on Mitre:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556

In keeping with the PostgreSQL Project's security fix policies, this update is
being released as quickly as possible: within 2 weeks of the first bug
report, and within five days of developing a fix.  This type of fast response
is central to PostgreSQL's reputation as one of the most secure databases in
the industry.

The new minor versions may be downloaded from our download page:
http://www.postgresql.org/download/.  Users will not need to dump & reload
for the upgrade.  However, see the release notes for your target version:
http://www.postgresql.org/docs/8.2/static/release.html


--
PostgreSQL Core Team

---------------------------(end of broadcast)---------------------------
-To unsubscribe from this list, send an email to:

               [hidden email]

---------------------------(end of broadcast)---------------------------
-To unsubscribe from this list, send an email to:

               [hidden email]