We first saw this on /r/techsupportgore the other day.
It’s Friday, the day after Independence day here in the States. We received an emergency email from a client who is unable to utilize their point of sale system for processing credit cards.
Securing consignment systems involves more than just installing free antivirus software and hoping all goes well.
The “cloud” service for Liberty is actually something you can do with any of the consignment software programs. The only problem is, it isn’t secure and it creates a new set of responsibilities @ properly maintaining and configuring a Windows Server 2008 system.
Want to do ConsignPro Cloud? You can do it right now. Want to do your own Liberty Cloud? You can do it right now. ConsignmentTill, Consignment Success, or any of the desktop-based consignment software programs, can all turn into this “cloud” service. That’s because it’s not the software that’s making this happen.
It’s a VPS (Virtual Private Server) running Windows Server 2008
from HostDime. You can get a VPS with the same configuration, from HostDime:
[button link=”http://www.hostdime.com/web-hosting/vps/windows/” size=”bigger” open_new_tab=”true”]HostDime Windows VPS[/button]
A few years ago, we considered offering a service to help store owners configure their own VPS to use with any of the consignment software programs. None of the consignment software programs support multiple locations, except for Traxia’s SimpleConsign. We signed-up for VPS hosting with HostDime and began testing. Before we even went past installing programs, it became painfully and glaringly clear – this is not a secure way to run consignment software.
To connect to your VPS, you’d be doing so via Remote Desktop (RDP). This is an inherently insecure protocol and data is not encrypted @ 256-bit AES as it is sent between your PC and the VPS. If you are planning on swiping credit cards at your store, you will fail PCI DSS Compliance. Yes, certain swipes can encrypt data, but having a HID device capturing credit card information and then sending it in plain text across RDP, is simply a bad idea.
Currently, the “cloud” service for Liberty is not utilizing Secure RDP Services. Most any of the VPS hosts out there, are not going to offer a secure connection out of the box. This alone, is reason enough to avoid Remote Desktop access for your consignment software database server.
The next issue, is Windows Server configuration. You simply cannot run a Windows Server
box VPS without deep configuration @ Group Policy. You can’t run “any” antivirus software, specifically not Microsoft Security Essentials. It fails PCI DSS Compliance and we have documented incident after incident, of systems running Microsoft Security Essentials, which have become deeply infected.
You just can’t get away with thinking you can run Microsoft Security Essentials. We have far too many documented cases of infected systems, not to mention MSE lost its certification from AV-Test.
If you’re currently running a VPS from your vendor, log in and check a few things:
- Is the connection secure?
- Which antivirus is installed and running?
- How much access to the system do you have? Can you view Control Panel?
- Is the server running system monitoring and patch management software?
The reality is, running a throttled VPS over insecure RDP connection as your consignment software infrastructure, is not something we would recommend to our worst enemy. Don’t take our word for it, ask around – this isn’t an opinion. All credit card data must utilize a secure connection. USB swipe over RDP, is not secure.
This also puts the burden of availability on the store owner, as this requires an Internet connection 100% of the time.
We’d love to see the consignment software vendors address the challenge of multiple locations, utilizing their software. Liberty has its RWX sync module. ConsignPro already uploads and downloads consignor + inventory data during the Shutdown process. Consignment stores do not need to be connected “all the time”. Data could be synchronized, keeping multiple locations in-sync. Consignment stores are really just looking for ways to allow consignors and customers to use store credit at multiple locations; or to receive a payout at “another” store. It’s not real-time data synchronization that’s needed.
We want store owners to be informed. Catch phrases are great for marketing, but there is a reality here that cannot be ignored. PCI DSS Compliance spells things out very clearly.
Updated 5/17/2013 @ 7:05 PM: Clarified RDP details.
Updated 5/20/2013 @ 5:57 PM: Clarified VPS host; clarified Secure RDP Services; added multiple, specific PCI DSS failure examples for Liberty “Cloud.”
To further clarify how the Liberty Cloud VPS is not PCI DSS Compliant:
- All non-console logins – e.g. Remote Desktop – must utilize TLS, SSL, or connect over a VPN (PCI DSS 2.3)
- Antivirus must store logs for 365 days (PCI DSS 5.1 & 10.7)
- Intrusion Detection System (IDS) must be in-place (PCI DSS 10.6)
- SSL must be in place when transmitting credit card data from your computer, across the Internet, to the server (PCI DSS 4.1)
- Two-factor authentication for remote access must be in-place (PCI DSS 8.3)
- Idle sessions must re-authenticate after 15 minutes (PCI DSS 8.5.15)
This is one of the most common ConsignPro support calls we receive. The ConsignPro settings file (cp.ini) is the second-most important file that you should be backing-up on a daily basis. If this file “goes missing,” ConsignPro will not load.
Why did this file go missing?
The most common reasons are:
- ConsignPro stopped responding at the end of the day
- Antivirus software
- Automatic backup software (specifically, Carbonite)
This file is manipulated by ConsignPro (cp.exe) when you close at the end of the day. The ConsignPro executable tries to rename that file to cp2.ini and then make a backup of that file named cpini.bak.
That activity can seem suspicious to antivirus programs and while ConsignPro is not a malicious program, some of the actions it takes can make it appear as though it is. When ConsignPro goes to rename that file and “work with it,” antivirus programs can see that as malicious behavior and they can delete/quarantine the cp.ini file. This is why it’s very important to select the right antivirus program and to properly configure it. The Computer Peeps recommend ESET Nod32 Antivirus.
This tends to happen more often after you update, because the file has a different signature than before AND it’s being manipulated by an executable program. So for those of you who just updated to the latest version of ConsignPro and your antivirus program has been going nuts all week, now you know why.
What we do NOT recommend doing, is installing the “New Ini” file from the ConsignPro website. All you’re doing is sweeping the issue under the rug by installing that and asking for another unlock code. Why waste your settings with a blank file, when you can restore your previous backup? Your cpini.bak file can be restored, even if it’s not the one from *yesterday*. Your cp.ini file could possibly still be in the ConsignPro directory, named cp2.ini.
It’s also very important to implement the most-appropriate backup solution as well. For ConsignPro users, The Computer Peeps recommend:
- ConsignPro daily Shutdown backups to an external USB hard drive.
- Nightly automatic script copies all critical ConsignPro files – e.g. .mdb, .ini, .bak, .00n, .txt, etc. – to external hard drive.
- CrashPlan, properly configured, to backup ConsignPro backup copies to external USB hard drive + off-site.
- Acronis True Image nightly system backups to an external USB hard drive.
If you just throw on a program such as Carbonite and tell it to backup your entire ConsignPro folder, you are going to generate collisions. Automatic backup programs can try to work with the files as soon as there’s an update/change to them. If ConsignPro is trying to work with the file at the same time, a collision occurs and this can result in file deletion or incomplete file names/renames.
If you would like The Computer Peeps to setup a solid, reliable, compatible, and straight-forward backup system WITH email notifications AND automatic end-of-year ConsignPro backups, give us a call at (888) 374-5422 or send us a message via our Contact Us page!
I wanted to post a follow-up to this, because it’s not just antivirus that’s causing this, nor does the change Brian made @ moving settings in to the database prevent this.
ConsignPro tends to ‘crash’ at the end of the day, when you’re closing the program. The program will show Not Responding, which is usually when the person closing will click with their mouse again, which only makes it look even *more* frozen:
The following morning when the store opens, is when the person opening for the day will run into the ConsignPro settings file was not found error:
This happens because ConsignPro crashes (not doing a Try/Catch?) when renaming cp.ini to cp2.ini:
Which, I’m not sure why Brian chose to rename this file before copying it — it’s too many extra steps. VB can copy a file and rename it in one swoop:
We’ve written our own application that checks our clients’ cp.ini file every morning and alerts if it’s not there, if cp2.ini exists, etc.
Stunnel, an application that provides secure ‘tunneling’ for commonly used, insecure protocols (e.g. SMTP, POP3, etc.) has issued a security bulletin. There is a known flaw that could be utilized to inject arbitrary code and ultimately control where the connection goes. Imagine the emails you’re trying to send to consignors and/or customers being intercepted.
If you think this is being hyper-sensitive, you don’t internets enough.
Any applications installed on your systems must be justified, as per the PCI DSS v2.0:
2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.
2.2.2.b Identify any enabled insecure services, daemons, or protocols. Verify they are justified and that security features are documented and implemented.
2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
If someone is going to install 3rd party software on your computer, be sure to ask them if they are going to maintain and patch that software on a daily basis. As a business bound by PCI DSS, applications must be patched on at least a monthly basis. For systems storing/processing/connected-to sensitive data, applications should be patched more-frequently – i.e. daily.
Without even considering PCI DSS, it’s common sense. An application installed with good intentions, can easily backfire on you if not properly maintained.