[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] SSL does not = a secure website

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 09:02:04 -0500
------=_Part_19983_12496245.1143554524502
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Lyal,
My comments about SSL not equating to a "secure site" was not directed at
the PCI standard but rather those uninformed individuals who think that
implementing SSL and posting a banner on their site has magically solved
their web security problems.

Here is a perfect, personal example of what I mean.  This is a small excerp=
t
from my book -


*We're Secure Because We Use SSL: Missing the Point*

Back in February 2004, I decided make an online purchase of some herbal
packs that can be heated in the microwave and used to threat sore
muscles.  When
I visited the manufactures website, I was dutifully greeting with a message
"We are a secure website!  We use 128-bit SSL Encryption."  This was
reassuring.  During my checkout process, I decided to verify some general
SSL info about the connection.  I double-clicked on the "lock" in the
lower-right hand corner of my web browser and verified that the domain name
associated with the SSL certificate matched the URL domain that I was
visiting, that it was signed by a reputable Certificate Authority such
as VeriSign
and, finally, that the certificate was still valid.  Everything seemed in
order so I proceeded with the checkout process and entered my credit card
data.  I hit the submit button and was then presented with a message that
made my stomach tighten up.  The message is displayed below, however I have
edited some of the information to obscure the both the company and my credi=
t
card data.

The following email message was sent.

To:comanyname@aol.com

From: RCBarnett@email.com

Subject:ONLINE HERBPACK!!!

name: Ryan Barnett

address: 1234 Someplace Ct.

city: Someplace

state: State

zip: 12345

phone#:

Type of card: American Express

name on card: Ryan Barnett

card number: 123456789012345

expiration date: 11/05

number of basics:

Number of eyepillows:

Number of neckrings: 1

number of belted: 1

number of jumbo packs:

number of foot warmers: 1

number of knee wraps:

number of wrist wraps:

number of keyboard packs:

number of shoulder wrap-s:

number of cool downz:

number of hats-black:         number of hats-gray:

number of hats-navy:         number of hats-red:

number of hats-rtcamo:         number of hats-orange:

do you want it shipped to a friend:

name:

their address:

their city:

their state:

their zip:





cgiemail 1.6

I could not believe it.  They had sent out my credit card data in clear-tex=
t
to an AOL email account.  How could this be?  They were obviously
technically savvy enough to understand the need to use SSL encryption when
clients submitted their data to their website.  How could they not provide
the same due diligence on the back-end of the process?

I was hoping that I was somehow mistaken.  I saw a banner message at the en=
d
of the screen that indicated that the application used to process this orde=
r
was called "cgiemail 1.6".  I therefore hoped on Google and tried to track
down the details of this application.  I found a hit in Google that linked
to the cgiemail webmaster guide.  I quickly reviewed the contents and found
what I was looking for in the "What security issues are there?" section:



Interception of network data sent from browser to server or vice versa via
network eavesdropping. Eavesdroppers can operate from any point on the
pathway between browser and server.


*Risk: With cgiemail as with any form-to-mail program, eavesdroppers can
also operate on any point on the pathway between the web server and the end
reader of the mail. Since there is no encryption built into cgiemail, it is
not recommended for confidential information such as credit card numbers.*

Shoot, just as I suspected.  I then spent the rest of the day contacting my
credit card company about possible information disclosure and to place a
watch on my account.  I also contacted the company by sending an email to
the same AOL address outlining the security issues that they needed to deal
with.  To summarize this story =96 Use of SSL does not a "secure site" make=
.



--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 3/28/06, Lyal Collins <lyal.collins@key2it.com.au> wrote:
>
>  While this doesn't answer the question about incident data it may be
> useful...
>
> Requirement 3 goes on to specify encrypted databases, minimise the volume
> of card data held among other things.
> These 2 requirements mostly affect the theft of the physical storage medi=
a
> since it's pretty difficult, imho to prevent a worstation user from
> masquerading as an application call to the database/repository.
> Multi-layer DMZ, with the DB in its own tightly limited access network
> environment, and separation from app servers etc are also necessary.
> And these sorts of requirement exists elsewhere in PCI - Section 1.3.5,
> and section 2.2.1 for example
>
> Requirement 4 addresses issues other than attack-based sniffing - e.g.
> proxy servers that cache GET/POST request data, IDS's that log all packet=
s
> for post-incident analysis etc, and simple routing errors.
>
> If servers and apps were strongly locked down, then attackers would focus
> on the next weakest barrier in the security environment - and network
> sniffing, and traffic redirection via ARP or DNS poisoning would probably=
 be
> higher on the list of threats
>
>  So as I think about this question, it seems that PCI should be considere=
d
> in its entirety, not just single sections, when it comes to addressing
> risks.
>
> Just a few random thoughts
>  Lyal
>
>
>
>
>

------=_Part_19983_12496245.1143554524502
Content-Type: text/html; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>Lyal,</div>
<div>My comments about SSL not equating to a &quot;secure site&quot; was no=
t directed at the PCI standard but rather those uninformed individuals who =
think that implementing SSL and posting a banner on their site has magicall=
y solved their web security problems.
</div>
<div>&nbsp;</div>
<div>Here is a perfect, personal example of what I mean.&nbsp; This is a sm=
all excerpt from my book -</div>
<div>&nbsp;</div>
<div>
<div style=3D"BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: wi=
ndowtext 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; MARGIN-LEFT: 0i=
n; BORDER-LEFT: medium none; MARGIN-RIGHT: 47.5pt; PADDING-TOP: 1pt; BORDER=
-BOTTOM: medium none; mso-border-top-alt: solid windowtext .75pt; mso-eleme=
nt: para-border-div">

<p class=3D"SH" style=3D"MARGIN: 34pt 47.5pt 2pt 0in"><strong><em><font siz=
e=3D"5">We're <ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:38">Se=
cure </ins><ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:38">Becau=
se </ins>
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:38">We </ins><ins ci=
te=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:38">Use </ins>SSL: Missing =
the Point</font></em></strong></p></div>
<p class=3D"SB" style=3D"MARGIN: 6pt 1in 0pt 0in">Back in February 2004, I =
decided make an online purchase of some herbal packs that can be heated in =
the microwave and used to threat sore muscles.<span style=3D"mso-spacerun: =
yes">
&nbsp; </span>When I visited the manufactures website, I was dutifully gree=
ting with a message "We are a secure website!<span style=3D"mso-spacerun: y=
es">&nbsp; </span>We use 128-bit SSL Encryption."<span style=3D"mso-spaceru=
n: yes">&nbsp;=20
</span>This was reassuring.<span style=3D"mso-spacerun: yes">&nbsp; </span>=
During my checkout process, I decided to verify some general SSL info about=
 the connection.<span style=3D"mso-spacerun: yes">&nbsp; </span>I double-cl=
icked on the "lock" in the lower-right hand corner of my web browser and ve=
rified that the domain name associated with the SSL certificate matched the=
 URL domain that I was visiting, that it was signed by a reputable Certific=
ate Authority such as=20
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">VeriSign </ins>a=
nd, finally, that the certificate was still valid.<span style=3D"mso-spacer=
un: yes">&nbsp; </span>Everything seemed in order so I proceeded with the c=
heckout process and entered my credit card data.
<span style=3D"mso-spacerun: yes">&nbsp; </span>I hit the submit button and=
 was then presented with a message that made my stomach tighten up.<span st=
yle=3D"mso-spacerun: yes">&nbsp; </span>The message is displayed below, how=
ever I have edited some of the information to obscure the both the company =
and my credit card data.
</p>
<p class=3D"SB" style=3D"MARGIN: 6pt 1in 0pt 0in"><ins cite=3D"mailto:UNOLA=
CA" datetime=3D"2005-09-20T09:39">The following email message was sent.</in=
s></p>
<p class=3D"SC" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-s=
tops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0939; mso-prop-c=
hange: UNOLACA 20050920T0940"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: =
Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"=
>
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39"><a href=3D"mailt=
o:To:comanyname@aol.com">To:comanyname@aol.com</a></ins></span><span style=
=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New R=
oman'; mso-bidi-font-size: 10.0pt">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:40"></ins></span></p=
>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0940; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">From: </ins></sp=
an><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family=
: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLAC=
A" datetime=3D"2005-09-20T09:40">
<a href=3D"mailto:RCBarnett@email.com";><ins datetime=3D"2005-09-20T09:39"><=
ins>RCBarnett@email.com</ins></ins></a></ins></span><span style=3D"FONT-SIZ=
E: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman'; mso-b=
idi-font-size: 10.0pt">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:40"></ins></span></p=
>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0940; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">Subject:ONLINE H=
ERBPACK!!!</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; =
mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins c=
ite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">name: Ryan Barne=
tt</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi=
-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"m=
ailto:UNOLACA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">address: 1234 So=
meplace Ct.</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial;=
 mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins =
cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">city: Someplace<=
/ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-fo=
nt-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mail=
to:UNOLACA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">state: State</in=
s></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-=
family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:=
UNOLACA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">zip: 12345</ins>=
</span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-fa=
mily: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UN=
OLACA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">phone#:</ins></s=
pan><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-famil=
y: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLA=
CA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">Type of card: Am=
erican Express</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Ari=
al; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><i=
ns cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">name on card: Ry=
an Barnett</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; =
mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins c=
ite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">card number: 123=
456789012345</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0939; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">expiration date:=
 11/05</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-=
bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of basics=
:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-=
font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"ma=
ilto:UNOLACA" datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">Number of eyepil=
lows:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-b=
idi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">Number of neckri=
ngs: 1</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-=
bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of belted=
: 1</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bid=
i-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"=
mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of jumbo =
packs:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-=
bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of foot w=
armers: 1</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; m=
so-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins ci=
te=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of knee w=
raps:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-b=
idi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of wrist =
wraps:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-=
bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of keyboa=
rd packs:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; m=
so-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins ci=
te=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of should=
er wrap-s:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; =
mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins c=
ite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of cool d=
ownz:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-b=
idi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:41">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of hats-b=
lack: </ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-=
bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span>number of hats-gray:</ins></=
span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-fami=
ly: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOL=
ACA" datetime=3D"2005-09-20T09:42">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0942; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of hats-n=
avy: </ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-b=
idi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span>number of hats-red:</ins></s=
pan><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-famil=
y: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLA=
CA" datetime=3D"2005-09-20T09:42">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0942; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">number of hats-r=
tcamo: </ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso=
-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=
=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:42">
<span style=3D"mso-spacerun: yes">&nbsp;</span></ins></span><span style=3D"=
FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman=
'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA"; datetime=3D"200=
5-09-20T09:39">
<span style=3D"mso-spacerun: yes">&nbsp;</span>number of hats-orange:</ins>=
</span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-fa=
mily: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UN=
OLACA" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">do you want it s=
hipped to a friend:</ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY=
: Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0p=
t">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:43"></ins></span></p=
>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">name:</ins></spa=
n><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family:=
 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UNOLACA=
" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">their address:</=
ins></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-fon=
t-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailt=
o:UNOLACA" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">their city:</ins=
></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-f=
amily: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:U=
NOLACA" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">their state:</in=
s></span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-=
family: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:=
UNOLACA" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">their zip:</ins>=
</span><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-fa=
mily: 'Times New Roman'; mso-bidi-font-size: 10.0pt"><ins cite=3D"mailto:UN=
OLACA" datetime=3D"2005-09-20T09:43">
</ins></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:43">&nbsp;</ins></sp=
an></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:43">&nbsp;</ins></sp=
an></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39">cgiemail 1.6</in=
s></span></p>
<p class=3D"SC2" style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-=
stops: .5in; mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-=
change: UNOLACA 20050920T0941"><span style=3D"FONT-SIZE: 11pt; FONT-FAMILY:=
 Arial; mso-bidi-font-family: 'Times New Roman'; mso-bidi-font-size: 10.0pt=
">
<ins cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:39"></ins></span>I c=
ould not believe it.<span style=3D"mso-spacerun: yes">&nbsp; </span>They ha=
d sent out my credit card data in clear-text to an AOL email account.<span =
style=3D"mso-spacerun: yes">
&nbsp; </span>How could this be?<span style=3D"mso-spacerun: yes">&nbsp; </=
span>They were obviously technically savvy enough to understand the need to=
 use SSL encryption when clients submitted their data to their website.<spa=
n style=3D"mso-spacerun: yes">
&nbsp; </span>How could they not provide the same due diligence on the back=
-end of the process?</p>
<p class=3D"SB" style=3D"MARGIN: 6pt 1in 0pt 0in">I was hoping that I was s=
omehow mistaken.<span style=3D"mso-spacerun: yes">&nbsp; </span>I saw a ban=
ner message at the end of the screen that indicated that the application us=
ed to process this order was called "cgiemail=20
1.6".<span style=3D"mso-spacerun: yes">&nbsp; </span>I therefore hoped on G=
oogle and tried to track down the details of this application.<span style=
=3D"mso-spacerun: yes">&nbsp; </span>I found a hit in Google that linked to=
 the cgiemail webmaster guide.
<span style=3D"mso-spacerun: yes">&nbsp; </span>I quickly reviewed the cont=
ents and found what I was looking for in the "What security issues are ther=
e?" section:</p>
<p class=3D"SB" style=3D"MARGIN: 6pt 1in 0pt 0in">&nbsp;</p>
<p class=3D"MsoNormal" style=3D"MARGIN: 0in 0in 0pt 0.25in; mso-margin-top-=
alt: auto; mso-margin-bottom-alt: auto"><font size=3D"2">Interception of ne=
twork data sent from browser to server or vice versa via network eavesdropp=
ing. Eavesdroppers can operate from any point on the pathway between browse=
r and server.
</font></p>
<p class=3D"MsoNormal" style=3D"MARGIN: 0in 0in 0pt 0.25in; mso-margin-top-=
alt: auto; mso-margin-bottom-alt: auto"><font size=3D"2"><br><em><span styl=
e=3D"FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New Roman'">Risk: Wit=
h cgiemail as with any form-to-mail program, eavesdroppers can also operate=
 on any point on the pathway between the web server and the end reader of t=
he mail. Since there is no encryption built into cgiemail, it is not recomm=
ended for confidential information such as credit card numbers.
</span></em> <span style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Arial Unicode MS=
'"></span></font></p>
<div style=3D"BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: me=
dium none; PADDING-LEFT: 0in; PADDING-BOTTOM: 1pt; MARGIN-LEFT: 0in; BORDER=
-LEFT: medium none; MARGIN-RIGHT: 1in; PADDING-TOP: 0in; BORDER-BOTTOM: win=
dowtext 1pt solid; mso-border-bottom-alt: solid windowtext .75pt; mso-eleme=
nt: para-border-div">

<p class=3D"SBX" style=3D"BORDER-RIGHT: medium none; BORDER-TOP: medium non=
e; MARGIN: 6pt 0in 0in; BORDER-LEFT: medium none; BORDER-BOTTOM: medium non=
e; mso-style-name: SB; mso-padding-alt: 0in 0in 0in 0in; mso-prop-change: U=
NOLACA 20050920T0943">
Shoot, just as I suspected.<span style=3D"mso-spacerun: yes">&nbsp; </span>=
I then spent the rest of the day contacting my credit card company about po=
ssible information disclosure and to place a watch on my account.<span styl=
e=3D"mso-spacerun: yes">
&nbsp; </span>I also contacted the company by sending an email to the same =
AOL address outlining the security issues that they needed to deal with.<sp=
an style=3D"mso-spacerun: yes">&nbsp; </span>To summarize this story =96 Us=
e of SSL does not a "secure site" make.
</p>
<p class=3D"SBX" style=3D"MARGIN: 6pt 1in 6pt 0in"><span class=3D"msoDel"><=
del cite=3D"mailto:UNOLACA"; datetime=3D"2005-09-20T09:43"><font color=3D"#f=
f0000">&nbsp;</font></del></span></p></div></div>
<div>&nbsp;</div>
<div>-- <br>Ryan C. Barnett<br>Web Application Security Consortium (WASC) M=
ember<br>CIS Apache Benchmark Project Lead<br>SANS Instructor: Securing Apa=
che<br>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing Web Attacks=
 with Apache=20
<br><br>&nbsp;</div>
<div><span class=3D"gmail_quote">On 3/28/06, <b class=3D"gmail_sendername">=
Lyal Collins</b> &lt;<a href=3D"mailto:lyal.collins@key2it.com.au";>lyal.col=
lins@key2it.com.au</a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div style=3D"DIRECTION: ltr">
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">While this doe=
sn't answer the question about incident data it may be useful...</font></sp=
an></div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"></font></span>=
&nbsp;</div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">Requirement 3 =
goes on to specify encrypted databases, minimise the volume of card data he=
ld among other things.</font></span></div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">These 2 requir=
ements mostly affect the theft of the&nbsp;physical storage media since it'=
s pretty difficult,&nbsp;imho to prevent a worstation user from masqueradin=
g as an application call to the database/repository.
</font></span></div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">Multi-layer</f=
ont></span><span>&nbsp;<font face=3D"Arial" color=3D"#0000ff" size=3D"2">DM=
Z, with the DB in its own tightly limited access network environment, and s=
eparation from app servers&nbsp;etc are also necessary.
</font></span></div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">And these sort=
s of requirement exists elsewhere in PCI&nbsp;- Section 1.3.5, and section =
2.2.1&nbsp;for example</font></span></div>
<div><span></span><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"><=
/font></span>&nbsp;</div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">Requirement 4 =
addresses issues other than attack-based sniffing - e.g. proxy servers that=
 cache GET/POST request data, IDS's that log all packets for post-incident =
analysis etc, and simple routing errors.
</font></span></div>
<div><span></span><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"><=
/font></span>&nbsp;</div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">If servers and=
 apps were strongly locked down, then attackers would focus on the next wea=
kest barrier in the security environment - and network sniffing, and traffi=
c redirection via ARP or DNS poisoning would probably be higher on the list=
 of threats&nbsp;
</font></span></div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"></font></span>=
&nbsp;</div>
<div><span>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">So as I think =
about this question, it seems that PCI should be considered in its entirety=
, not just single sections, when it comes to addressing risks.</font></span=
>
</div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"></font></span>=
&nbsp;</div>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">Just a few ran=
dom thoughts</font></span></div></span></div>
<div style=3D"DIRECTION: ltr"><span class=3D"sg">
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2">Lyal</font></s=
pan></div></span></div>
<div style=3D"DIRECTION: ltr"></div></div>
<div style=3D"DIRECTION: ltr"><span class=3D"e" id=3D"q_10a3fded63f9f6b2_3"=
>
<div><span><font face=3D"Arial" color=3D"#0000ff" size=3D"2"></font></span>=
&nbsp;</div>
<blockquote dir=3D"ltr" style=3D"MARGIN-RIGHT: 0px">&nbsp;</blockquote></sp=
an></div></blockquote></div>

------=_Part_19983_12496245.1143554524502--
Follow-Ups:
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Nick Owen
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Lyal Collins
References:
- [WEB SECURITY] SSL does not = a secure website
  - From: Ryan Barnett
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Lyal Collins
Prev by Date: Re: [WEB SECURITY] SSL does not = a secure website
Next by Date: RE: [WEB SECURITY] SSL does not = a secure website
Previous by thread: RE: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org