Loading....

Twitter Adds Two-Factor Authentication

Twitter Account Security

Twitter has finally added two-factor authentication.  If you have a Twitter account, we encourage you to log in and enable Twitter’s new Account Security option right away.

To do so, click on the little gear icon Twitter Account Settings at the top of your Twitter account, then go to Settings > Account.  Check the box next to to the Require a verification code when I sign in option:

[hr]

Twitter Account Security
Twitter Account Security

[hr]

Once enabled, Twitter will require the unique verification code they send to your phone via text message.  Before you (or someone else) can log in to your account, the code must be entered:

[hr]

Twitter Verification Code
Twitter Verification Code | Click to Enlarge

[hr]

This adds an additional layer of security to your Twitter account and should help prevent account “hacking” incidents.

Remember, there is no silver-bullet or single solution to security.  Keep your wits about you when you’re online.  Beware of private messages sent to your Facebook or Twitter account.  Do not click on any links in private messages.  Keep an eye out for social engineering scams, such as, “OMG, look at what this person Tweeted about you!!!

As always, let us know if you have any questions!

Why Connecting to a VPS via Remote Desktop Violates the PCI DSS

If you connect to a “cloud” VPS using Remote Desktop without TLS or SSL and you swipe (or type) credit card numbers from your computer ‘up’ to software running on your VPS, your business is in violation of the PCI DSS [PDF].

The PCI DSS Guide states the following:

[box with_bg=”true” inner_padding=”small”]
[heading type=”h3″ no_top_padding=”true” underlined=”true”]PCI DSS 4.1[/heading]
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS include but are not limited to:

[checklist]

  • The Internet
  • Wireless technologies
  • Global System for Mobile communications (GSM)
  • General Packet Radio Service (GPRS)

[/checklist]

[/box]

In a configuration where your credit card swipe is connected to your PC and your credit card software (e.g. X-Charge) is on your PC, the cardholder data goes from the swipe, into X-Charge, and then X-Charge transmits data over SSL.

In a VPS configuration, X-Charge is no longer installed on your computer – no software is installed on your computer.  Instead, you connect to your VPS over an open, public network (i.e. the Internet) via Remote Desktop.  X-Charge is running on the VPS “up there,” away from your computer.  When you swipe the card, it goes through the swipe and out across the public Internet.  Remote Desktop does not utilize SSL.  Your system administrator must install and configure Secure RDS, configure SSL, etc.

These are facts and the reason we share this sort of information, is because store owners are ultimately the ones who are held accountable for PCI DSS Compliance.  It’s common sense and best-practice NOT to swipe credit cards across RDP.  If best-practice isn’t enough, then the PCI DSS should be.

0-day Windows Kernel Vulnerability

Vulnerability

A new 0-day Windows vulnerability has been discovered.  This vulnerability allows escalation of privileges – e.g. a Guest or Restricted account could gain Administrator access.

This vulnerability affects all versions of Windows.  As this is a 0-day vulnerability, there is currently no patch for this issue.

ConsignPro Cloud, ConsignmentTill Cloud, Liberty Cloud, Anything Cloud

Le Cloud

The “cloud” service for Liberty is actually something you can do with any of the consignment software programs.  The only problem is, it isn’t secure and it creates a new set of responsibilities @ properly maintaining and configuring a Windows Server 2008 system.

Want to do ConsignPro Cloud?  You can do it right now.  Want to do your own Liberty Cloud?  You can do it right now.  ConsignmentTill, Consignment Success, or any of the desktop-based consignment software programs, can all turn into this “cloud” service.  That’s because it’s not the software that’s making this happen.

It’s a VPS (Virtual Private Server) running Windows Server 2008 from HostDime.  You can get a VPS with the same configuration, from HostDime:

[hr]

[button link=”http://www.hostdime.com/web-hosting/vps/windows/” size=”bigger” open_new_tab=”true”]HostDime Windows VPS[/button]

[hr]

A few years ago, we considered offering a service to help store owners configure their own VPS to use with any of the consignment software programs.  None of the consignment software programs support multiple locations, except for Traxia’s SimpleConsign.  We signed-up for VPS hosting with HostDime and began testing.  Before we even went past installing programs, it became painfully and glaringly clear – this is not a secure way to run consignment software.

To connect to your VPS, you’d be doing so via Remote Desktop (RDP).  This is an inherently insecure protocol and data is not encrypted @ 256-bit AES as it is sent between your PC and the VPS.  If you are planning on swiping credit cards at your store, you will fail PCI DSS Compliance.  Yes, certain swipes can encrypt data, but having a HID device capturing credit card information and then sending it in plain text across RDP, is simply a bad idea.

Currently, the “cloud” service for Liberty is not utilizing Secure RDP Services.  Most any of the VPS hosts out there, are not going to offer a secure connection out of the box.  This alone, is reason enough to avoid Remote Desktop access for your consignment software database server.

Let’s also not forget the vulnerabilities in RDP that have come up recently, even allowing someone to completely lock-up your server.

The next issue, is Windows Server configuration.  You simply cannot run a Windows Server box VPS without deep configuration @ Group Policy.  You can’t run “any” antivirus software, specifically not Microsoft Security Essentials.  It fails PCI DSS Compliance and we have documented incident after incident, of systems running Microsoft Security Essentials, which have become deeply infected.

[hr]

Vendor-Installed Microsoft Security Essentials

Deeply Infected System Running Microsoft Security Essentials

Trojan Infections, Despite An Updated Microsoft Security Essentials

[hr]

You just can’t get away with thinking you can run Microsoft Security Essentials.  We have far too many documented cases of infected systems, not to mention MSE lost its certification from AV-Test.

If you’re currently running a VPS from your vendor, log in and check a few things:

[checklist]

  • Is the connection secure?
  • Which antivirus is installed and running?
  • How much access to the system do you have?  Can you view Control Panel?
  • Is the server running system monitoring and patch management software?

[/checklist]

The reality is, running a throttled VPS over insecure RDP connection as your consignment software infrastructure, is not something we would recommend to our worst enemy.  Don’t take our word for it, ask around – this isn’t an opinion.  All credit card data must utilize a secure connection.  USB swipe over RDP, is not secure.

This also puts the burden of availability on the store owner, as this requires an Internet connection 100% of the time.

We’d love to see the consignment software vendors address the challenge of multiple locations, utilizing their software.  Liberty has its RWX sync module.  ConsignPro already uploads and downloads consignor + inventory data during the Shutdown process.  Consignment stores do not need to be connected “all the time”.  Data could be synchronized, keeping multiple locations in-sync.  Consignment stores are really just looking for ways to allow consignors and customers to use store credit at multiple locations; or to receive a payout at “another” store.  It’s not real-time data synchronization that’s needed.

We want store owners to be informed.  Catch phrases are great for marketing, but there is a reality here that cannot be ignored.  PCI DSS Compliance spells things out very clearly.

[hr]

Updated 5/17/2013 @ 7:05 PM: Clarified RDP details.

Updated 5/20/2013 @ 5:57 PM: Clarified VPS host; clarified Secure RDP Services; added multiple, specific PCI DSS failure examples for Liberty “Cloud.”

To further clarify how the Liberty Cloud VPS is not PCI DSS Compliant:

[checklist]

  • All non-console logins – e.g. Remote Desktop – must utilize TLS, SSL, or connect over a VPN (PCI DSS 2.3)
  • Antivirus must store logs for 365 days (PCI DSS 5.1 & 10.7)
  • Intrusion Detection System (IDS) must be in-place  (PCI DSS 10.6)
  • SSL must be in place when transmitting credit card data from your computer, across the Internet, to the server (PCI DSS 4.1)
  • Two-factor authentication for remote access must be in-place (PCI DSS 8.3)
  • Idle sessions must re-authenticate after 15 minutes (PCI DSS 8.5.15)

[/checklist]

Internet Explorer 10 Update Failing

IE Fail

This week’s Internet Explorer 10 update (KB2828223) has been failing left and right…

[hr]

IE 10 Update Failing
Click to Enlarge

[hr]

The subsequent result is Windows failing to start in Normal Mode upon reboot.  Forcing the system off and potentially booting the system into Safe Mode, is required in order to overcome the “stuck” system.  Upon a subsequent reboot, the system shows it is “failing” the update and rolling it back…

[hr]

Failure Configuring IE 10

[hr]

For clients on our System Monitoring service, we’ve disabled the IE10 update across the board and will manually address any installation issues.

We tracked 31 IE10 update failures this week…

[hr]

IE 10 Failures[hr]

If you do not have Patch Management in place, be sure to keep up to date with the weekly set of Patches coming from Microsoft.  These are released every Tuesday and in days prior, Microsoft releases the official announcement for each update.  This gives you the chance to manually test updates on one system, before rolling-out updates across each of your systems.

If you come in and find your computer “spinning its wheels” in the morning, we recommend giving it at least 15 minutes to ensure it truly is stuck.  If the system is unable to start Windows, the only option is to power-off the computer.  Let it ‘rest’ for a minute, then power-on the system again.  If the system is able to either recover and reprocess the update OR if it’s able to properly “fail” the update and rollback the system, then you should be able to proceed into Normal Mode.  If the system cannot recover, booting into Safe Mode With Networking is most-likely the next step.

As always, if you have any questions, let us know!

Back To Top