Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Database
    • Database

    Web Site Teaches a Privacy Lesson

    By
    Timothy Dyck
    -
    March 12, 2001
    Share
    Facebook
    Twitter
    Linkedin

      eWeek labs this past year had up-close-and-personal experience with the data security, privacy and integrity issues that keep e-business managers up at night: the eWeek eXcellence Awards Web site (www.excellenceawardsonline.com).

      Significantly increasing the complexity of the Web project was our requirement that companies nominating products make a donation of $100 to the Starlight Childrens Foundation (www.starlight.org), which provides computers and Internet access to hospitalized children.

      As the broker of the donations, we had to support secure communication links and securely store and process credit card data. We also provided payment confirmation by e-mail and payment status information online.

      Our site mirrored the challenges of a marketplace or business exchange site, where competitors interact with shared services in carefully controlled ways. The eXcellence Awards program was a highly competitive process, and many companies provided sensitive information on release dates and feature sets. It was critical for us to be able to assure site users that none of their competitors would be able to sniff out entry information by accident or deliberate malicious effort.

      We went to working making sure the eXcellence Awards Web application met privacy and security requirements.

      Application errors are a frighteningly common source of security and privacy vulnerabilities on Web sites, particularly because the application server must have trusted access to the database. (We used Apache Groups TomCat Java Server Pages application server.)

      In designing the overall infrastructure of the site, we tried to modulate tasks as much as possible to identify where security-sensitive transactions, such as logging in to the site or the database, occurred. We extracted this code and placed it into a set of included files so that we could guarantee that we used and maintained a single code library for these tasks.

      Handling the database password was a particularly sensitive issue. We decided not to specify the password anywhere in JSP code, since there have been bugs in the past that have allowed users to see scripting code embedded in HTML pages. Instead, our code dynamically loaded the database password from a disk file, letting us rely on the Unix file system permission system as an additional layer of protection.

      We also configured MySQL ABs MySQL security settings to only allow database connections from the local machine, so any unauthorized database activity would require a cracker to create and upload a modified JSP page or get shell access to the server.

      Tracking user identifications and making sure users were never able to access pages or information not associated with their user ID was another important task. We again used a set of shared include files to ensure users had logged in before seeing certain pages. We tracked user ID information in a server-side session object, not a client-side cookie. We did use temporary cookies to store a users session ID but not to store a users name or password information. Relying on an anonymous source (such as a client browser) to provide trusted information is a mistake.

      We then added security checks to the top of every page that included sensitive information. We ensured that users were correctly logged in and did real-time database lookups.

      For example, we used an entry ID as a parameter for one page but did a lookup on the company ID of that entry ID. We then matched this information against the company ID of the logged-in user before displaying any entry information.

      We also developed a set of wrapper classes that were called on every variable that was sent to the database as part of a SQL statement. This code checked variable contents for database control characters, such as semicolons, quote characters and backslashes, and either removed them or marked them using escape characters so the database would treat them as ordinary text, not as commands.

      Dont forget to secure less-visible places where sensitive data can be stored, such as database activity log files and backup files. We stored log and backup data securely offsite, deleting the old data from the server each time.

      The problems we did have cropped up in unexpected places. For example, during the course of the awards program, we sent out several mass e-mailings to people who nominated products. In one mailing, a large number of e-mail addresses were cut from another document and pasted into the “To:” field of the e-mail message. None of the names, companies and addresses were hidden. This security (and cultural) breach is further evidence that security is indeed about process and not just products.

      One error we made resulted in someone being able to get around our deadline for nominations (although only by a couple of hours). At one point we had renamed a set of server files but left the old files in place to allow users to finish their sessions. We forgot to remove the old files, which did not include the deadline code, so a user was able to use the old file names to submit a new entry. Because current browsers auto-complete URL references from their caches, information on old file names is easily accessible to users.

      Timothy Dyck
      Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×