Re: Secure Transactions over HTTPS????

From: Dennis Willson (taz@taz-mania.com)
Date: 02/11/02 

From: "Dennis Willson" <taz@taz-mania.com>
To: "Sam Steinmeyer" <SamSteinmeyer@winn-dixie.com>, "'Windex King'" <WindexKing@mor-lan-d.com>, <focus-ms@securityfocus.com>
Date: Mon, 11 Feb 2002 09:24:07 -0800

This is basically correct. It's for show. I used to run a datacenter where
we were doing 80,000 credit card transactions a day.
(yes, now everyone knows that I worked supporting the 'back end' of a number
of major adult sites. However a number of years ago it was the only way to
get experience with sites doing this level of eCommerce, not to mention
65,000,000 hits a day to the WEB servers)

Where the weak part is usually, is hackers getting to the database. This
needs to be absolutely on the top of the list security wise. We had a team
monitoring the database around the clock for 'suspicious' activity. Not to
mention all the anti-fraud stuff we had to do (but that is another LONG,
MAJOR story in itself).

We had the databases behind a firewall (a second firewall inside the
Internet firewall) so that the only access was via VPN to the private
network they were on (they were on their own private network inside our
normal private network). The VPN was not for the encryption, it was for the
authentication it provided, even local workstations had to VPN through the
second firewall to access the databases. The firewalls send email/pager
notifications of any attempt to directly access the database subnet from an
unauthorized IP address, including internal addresses. It was also
physically secure and only a couple of people had physical access. Each web
server that accessed the database had it's own VPN userid. This allowed us
to keep detailed logs of what machine accessed the database at what time,
etc...
The userids where not stored openly on the web servers, You would have had
to break in and de-compile a lot of code to find this.

We were fortunate that we never had an incident of someone actually reaching
the database. A number of attempts however.

---------------------------------------------------------------------------- 

----
Dennis Willson
taz@taz-mania.com
www.taz-mania.com
www.scubatech.org

Callsigns:
HAM      KA6LSW
GMRS    WPSJ953

-- Failure is not an option, it comes standard with Windows products --

----- Original Message -----
From: "Sam Steinmeyer" <SamSteinmeyer@winn-dixie.com>
To: "'Windex King'" <WindexKing@mor-lan-d.com>; <focus-ms@securityfocus.com>
Sent: Saturday, February 09, 2002 7:31 AM
Subject: RE: Secure Transactions over HTTPS????

> Hello all,
> In regards to strong encryption for Internet communications, It is a
> must for corporations that deal with credit cards and personal
information.
> The reason for all the hoops is that, if a corporation get's hacked and
> credit cards numbers or personal information is taken.  They get
> investigated.  If they followed your suggestion of "so why bother
encrypting
> it with huge keys" they would get nailed with negligence.  But, if they
> showed due diligence and jumped through all the hoops then they would not
> get hit as hard.
> Thanks
>
> -----Original Message-----
> From: Windex King [mailto:WindexKing@mor-lan-d.com]
> Sent: Friday, February 08, 2002 9:33 AM
> To: focus-ms@securityfocus.com
> Subject: Re: Secure Transactions over HTTPS????
>
>
>
>
> pxs3@po.cwru.edu wrote:
> > Remember, kids, use good algorithms and long keys.
>
> I'm assuming here we're still talking in the context
> of data traveling over the Internet.
>
> If that's still the case, I think some of you might
> find the opinion of Dr. Peter Tippett of TruSecure
> Corporation quite interesting.
>
> He said in a webinar last year that basically using
> strong encryption for Internet communications is not
> as necessary as most think it is.
>
> He said something to the effect that the risk of your
> credit card info, etc. being picked off while in
> transit across the Internet is basically zero so why
> bother encryptinhg it with huge keys.
>
> W K