This is tech snap episode 384 hello and welcome to tech snap Jupiter broadcasting’s weekly systems Network and administration podcast this episode was recorded on September 20 2008 team my name is Wes and we are ever so lucky to be joined with the one the only Jean the nice guy hello John hello there is a pleasure to be here.
Yeah it’s just it’s great to have you I mean you know.
You’ve got all kinds of expertise and you’re doing us a huge favor by volunteering your time helping.
Are you doing today I’m doing very well thank you very much and how about yourself oh I’m.
Doing splendid and it’s nice to be talking to you I guess we can just get this episode rolling we’ve got all kinds of good content to talk about the latest news of course some things you don’t want to miss then you should look forward to and we’re gonna talk about ipfs but before we.
Get to any of that well I’ve got some disappointing news if you have to interact with the US government.
Or any of the states the government payment service incorporated a company used by thousands of US state and local governments to accept online payments because of course that’s how it works well they’ve leaked more than fourteen million customer records dating back at least six years yeah it’s not good that so so the the Internet’s IPS curbs on security on September the 14th they they notified gov pay net that they had at least fourteen million customer records going back it’s a twenty twelve now.
Apparently there’s only a couple days later the company said it addressed a potential issue but it’s still not great is.
It oh no it’s really not and as they say here the company has no indication that any improperly accessed information was used to harm any customer and receipts do not contain information that can be used to initiate a financial transaction and well I mean that’s true as far as it goes right you they.
Do have things like names addresses phone numbers and the last four of the credit card.
Now that’s not generally enough to you know as they say initiate a full trade financial transaction but boy that’s a lot more personal data than I want exposed yeah I mean when you’re looking at systems like these sorts of records it doesn’t take a genius to start saying well you can pull information together and knit these knit these various sources together to produce quite a complicated map of of personal.
Information enough to do anything like from you know take over an iPhone account all the way.
Through to you know potentially huge amounts of wire fraud and things like that.
Just frustrating how simple this was because anyone could access these receipts you know they’re just given in an.
Incrementing number that you could type into a URL and access so you knew how to construct a valid ones you if you had one you could find others by decrementing or incrementing that counter and there you go there are other strategies if you don’t want to have.
You know have these receipts behind a login like google photos for instance has a.
Giant namespace of potential filenames and you get you know just like a random pointer into that big namespace so you don’t know how to construct.
A valid identifier and well in theory you could find someone else’s pictures randomly the search base is just too big but clearly guff pay net has not spent any time thinking about this or any engineering hours to develop a secure system no and I.
Mean from the looks of things a lot of companies start their system without thinking about putting people’s information as kind of like the privacy of that information is a forethought I mean it’s obviously as many of your.
Listeners may be able to tell them I’m from the UK and you know.
We’ve just gone through the gdpr piece right and that mandates that you know you have to put data privacy almost as the very first thing you.
Think about you have to engineer it with security in mind and if you don’t you liable for huge fines and obviously this gov pay net it’s the American firm so it’s it’s not it’s not bound by GDP our I do hope that none of the employees that are affected by this were either EU citizens or you know needing.
To view these view this information from from within the EU because potentially Gulf pay net may be looking at issues with GDP are now as well that is.
A great point and with these kinds of services you know of course you just.
You’re trying to serve your customers needs you wanna make it easy probably in this case so that people could easily look up a receipt.
And you know be able to reference that for whatever they needed to do with it that part’s good but you’re right that you have to.
Start thinking with security and mind and much like you know when you’re crafting a firewall policy start with the minimum stuff you can get away with and only add-on when you you know you know that you actually have a need for those ports to be open.
Or for that information to be exposed yeah so if you’re a web developer please please start from basics don’t increment by one for every single record you know don’t just assume that the next record in fact you should have tests in your system that check to.
See whether if you just increment by one do you get another person’s records because if you do.
You might need to go back to basics on that one well said and it’s.
Just I mean think it just shows that we can no longer assume that people won’t be working for these right we live on a in a dangerous Internet where if you put something out there some BOTS somewhere it’s going to scrape it if not a more malicious actor so you really really have to think that way and.
Be prepared with that mindset from the outset absolutely now last week we talked about mage cart in particular on the tech stem program we were discussing their recent attack on British Airways and all the trouble that caused well.
I I don’t usually fly with British Airways you you made John um but one site I think might be a little more popular with our with our listeners here well that’s new egg and.
They I’m afraid are the latest victim yeah and from the looks of things this mage cart group are actually going after quite a few targets so whilst this is quite a well known name I.