[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] SSL does not = a secure website
- From: "Lyal Collins" <lyal.collins@xxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] SSL does not = a secure website
- Date: Wed, 29 Mar 2006 08:18:10 +1100
------=_NextPart_000_0001_01C65309.517E98A0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
I agree entirely - SSL alone is not the aswer. Nor is storage =
encrytion, or
7 character passwords etc...
In the quoted example, the site lacked a sound and secure end to end =
process
for the entire transaction lifecycle, instead only addressing the =
payment
capture process. =20
=20
I've seen several sites where payment pages could be accessed via SSL, =
or by
changing to "http://"; in place of "https:// could be accessed as normal
http.
=20
In about 1995, Ausnet, a small Australian ISP, went out of business a =
few
months after either dial-in access was misused to access a internal =
server,
or a backup process was redirected to subverted - details are a bit hazy
now. Someone was prosecuted for the incident - I don't recall the =
sentence
either.
=20
Lyal
=20
-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett@gmail.com]=20
Sent: Wednesday, 29 March 2006 1:02 AM
To: Lyal Collins
Cc: Web Security; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not =3D a secure website
Lyal,
My comments about SSL not equating to a "secure site" was not directed =
at
the PCI standard but rather those uninformed individuals who think that
implementing SSL and posting a banner on their site has magically solved
their web security problems.=20
=20
Here is a perfect, personal example of what I mean. This is a small =
excerpt
from my book -
=20
We're Secure Because We Use SSL: Missing the Point
Back in February 2004, I decided make an online purchase of some herbal
packs that can be heated in the microwave and used to threat sore =
muscles.
When I visited the manufactures website, I was dutifully greeting with a
message "We are a secure website! We use 128-bit SSL Encryption." This =
was
reassuring. During my checkout process, I decided to verify some =
general
SSL info about the connection. I double-clicked on the "lock" in the
lower-right hand corner of my web browser and verified that the domain =
name
associated with the SSL certificate matched the URL domain that I was
visiting, that it was signed by a reputable Certificate Authority such =
as
VeriSign and, finally, that the certificate was still valid. Everything
seemed in order so I proceeded with the checkout process and entered my
credit card data. I hit the submit button and was then presented with =
a
message that made my stomach tighten up. The message is displayed =
below,
however I have edited some of the information to obscure the both the
company and my credit card data.=20
The following email message was sent.
To:comanyname@aol.com=20
From: <mailto:RCBarnett@email.com> RCBarnett@email.com=20
Subject:ONLINE HERBPACK!!!=20
name: Ryan Barnett=20
address: 1234 Someplace Ct.=20
city: Someplace=20
state: State=20
zip: 12345=20
phone#:=20
Type of card: American Express=20
name on card: Ryan Barnett=20
card number: 123456789012345
expiration date: 11/05=20
number of basics:=20
Number of eyepillows:=20
Number of neckrings: 1=20
number of belted: 1=20
number of jumbo packs:=20
number of foot warmers: 1=20
number of knee wraps:=20
number of wrist wraps:=20
number of keyboard packs:=20
number of shoulder wrap-s:=20
number of cool downz:=20
number of hats-black: number of hats-gray:=20
number of hats-navy: number of hats-red:=20
number of hats-rtcamo: number of hats-orange:=20
do you want it shipped to a friend:=20
name:=20
their address:=20
their city:=20
their state:=20
their zip:=20
=20
=20
cgiemail 1.6
I could not believe it. They had sent out my credit card data in =
clear-text
to an AOL email account. How could this be? They were obviously
technically savvy enough to understand the need to use SSL encryption =
when
clients submitted their data to their website. How could they not =
provide
the same due diligence on the back-end of the process?
I was hoping that I was somehow mistaken. I saw a banner message at the =
end
of the screen that indicated that the application used to process this =
order
was called "cgiemail 1.6". I therefore hoped on Google and tried to =
track
down the details of this application. I found a hit in Google that =
linked
to the cgiemail webmaster guide. I quickly reviewed the contents and =
found
what I was looking for in the "What security issues are there?" section:
=20
Interception of network data sent from browser to server or vice versa =
via
network eavesdropping. Eavesdroppers can operate from any point on the
pathway between browser and server.=20
Risk: With cgiemail as with any form-to-mail program, eavesdroppers can =
also
operate on any point on the pathway between the web server and the end
reader of the mail. Since there is no encryption built into cgiemail, it =
is
not recommended for confidential information such as credit card =
numbers.=20
Shoot, just as I suspected. I then spent the rest of the day contacting =
my
credit card company about possible information disclosure and to place a
watch on my account. I also contacted the company by sending an email =
to
the same AOL address outlining the security issues that they needed to =
deal
with. To summarize this story - Use of SSL does not a "secure site" =
make.=20
=20
=20
--=20
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache=20
=20
On 3/28/06, Lyal Collins <lyal.collins@key2it.com.au> wrote:=20
While this doesn't answer the question about incident data it may be
useful...
=20
Requirement 3 goes on to specify encrypted databases, minimise the =
volume of
card data held among other things.
These 2 requirements mostly affect the theft of the physical storage =
media
since it's pretty difficult, imho to prevent a worstation user from
masquerading as an application call to the database/repository.=20
Multi-layer DMZ, with the DB in its own tightly limited access network
environment, and separation from app servers etc are also necessary.=20
And these sorts of requirement exists elsewhere in PCI - Section 1.3.5, =
and
section 2.2.1 for example
=20
Requirement 4 addresses issues other than attack-based sniffing - e.g. =
proxy
servers that cache GET/POST request data, IDS's that log all packets for
post-incident analysis etc, and simple routing errors.=20
=20
If servers and apps were strongly locked down, then attackers would =
focus on
the next weakest barrier in the security environment - and network =
sniffing,
and traffic redirection via ARP or DNS poisoning would probably be =
higher on
the list of threats =20
=20
So as I think about this question, it seems that PCI should be =
considered in
its entirety, not just single sections, when it comes to addressing =
risks.=20
=20
Just a few random thoughts
Lyal
=20
=20
------=_NextPart_000_0001_01C65309.517E98A0
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2>I=20
agree entirely - SSL alone is not the aswer. Nor is storage =
encrytion, or=20
7 character passwords etc...</FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2>In the=20
quoted example, the site lacked a sound and secure end to end process =
for the=20
entire transaction lifecycle, instead only addressing the payment =
capture=20
process. </FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2>I've=20
seen several sites where payment pages could be accessed via SSL, or=20
by changing to "http://"; in place of "https:// could be =
accessed as=20
normal http.</FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2> </FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2>In=20
about 1995, Ausnet, a small Australian ISP, went out of business a few =
months=20
after either dial-in access was misused to access a internal =
server, or a=20
backup process was redirected to subverted - details are a bit hazy =
now. =20
Someone was prosecuted for the incident - I don't recall the =
sentence=20
either.</FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2>Lyal</FONT></SPAN></DIV>
<DIV><SPAN class=3D422051021-28032006><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> Ryan =
Barnett=20
[mailto:rcbarnett@gmail.com] <BR><B>Sent:</B> Wednesday, 29 March 2006 =
1:02=20
AM<BR><B>To:</B> Lyal Collins<BR><B>Cc:</B> Web Security;=20
webappsec@securityfocus.com<BR><B>Subject:</B> Re: [WEB SECURITY] SSL =
does not=20
=3D a secure website<BR><BR></FONT></DIV>
<DIV>Lyal,</DIV>
<DIV>My comments about SSL not equating to a "secure site" was not =
directed at=20
the PCI standard but rather those uninformed individuals who think =
that=20
implementing SSL and posting a banner on their site has magically =
solved their=20
web security problems. </DIV>
<DIV> </DIV>
<DIV>Here is a perfect, personal example of what I mean. This is =
a small=20
excerpt from my book -</DIV>
<DIV> </DIV>
<DIV>
<DIV=20
style=3D"BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: =
windowtext 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; =
MARGIN-LEFT: 0in; BORDER-LEFT: medium none; MARGIN-RIGHT: 47.5pt; =
PADDING-TOP: 1pt; BORDER-BOTTOM: medium none; mso-border-top-alt: solid =
windowtext .75pt; mso-element: para-border-div">
<P class=3DSH style=3D"MARGIN: 34pt 47.5pt 2pt 0in"><STRONG><EM><FONT =
size=3D5>We're=20
<INS cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:38>Secure =
</INS><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:38>Because </INS><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:38>We </INS><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:38>Use </INS>SSL: =
Missing the=20
Point</FONT></EM></STRONG></P></DIV>
<P class=3DSB style=3D"MARGIN: 6pt 1in 0pt 0in">Back in February 2004, =
I decided=20
make an online purchase of some herbal packs that can be heated in the =
microwave and used to threat sore muscles.<SPAN style=3D"mso-spacerun: =
yes">=20
</SPAN>When I visited the manufactures website, I was dutifully =
greeting with a message "We are a secure website!<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>We use 128-bit SSL =
Encryption."<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>This was reassuring.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>During my checkout process, =
I decided=20
to verify some general SSL info about the connection.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I double-clicked on the =
"lock" in the=20
lower-right hand corner of my web browser and verified that the domain =
name=20
associated with the SSL certificate matched the URL domain that I was=20
visiting, that it was signed by a reputable Certificate Authority such =
as <INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>VeriSign </INS>and, =
finally,=20
that the certificate was still valid.<SPAN style=3D"mso-spacerun: =
yes"> =20
</SPAN>Everything seemed in order so I proceeded with the checkout =
process and=20
entered my credit card data. <SPAN style=3D"mso-spacerun: yes"> =
</SPAN>I=20
hit the submit button and was then presented with a message that made =
my=20
stomach tighten up.<SPAN style=3D"mso-spacerun: yes"> </SPAN>The =
message=20
is displayed below, however I have edited some of the information to =
obscure=20
the both the company and my credit card data. </P>
<P class=3DSB style=3D"MARGIN: 6pt 1in 0pt 0in"><INS =
cite=3Dmailto:UNOLACA=20
dateTime=3D2005-09-20T09:39>The following email message was =
sent.</INS></P>
<P class=3DSC=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0939; mso-prop-change: =
UNOLACA 20050920T0940"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39><A=20
=
href=3D"mailto:To:comanyname@aol.com";>To:comanyname@aol.com</A></INS></SP=
AN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt">=20
<INS cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:40></INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0940; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>From: =
</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:40><A=20
href=3D"mailto:RCBarnett@email.com";><INS=20
=
dateTime=3D2005-09-20T09:39><INS>RCBarnett@email.com</INS></INS></A></INS=
></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt">=20
<INS cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:40></INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0940; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>Subject:ONLINE=20
HERBPACK!!!</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>name: Ryan=20
Barnett</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>address: 1234 =
Someplace=20
Ct.</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>city:=20
Someplace</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>state: =
State</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>zip: =
12345</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:39>phone#:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>Type of card: =
American=20
Express</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>name on card: Ryan=20
Barnett</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>card number:=20
123456789012345</INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0939; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>expiration date:=20
11/05</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of=20
basics:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>Number of=20
eyepillows:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>Number of neckrings: =
1</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of belted:=20
1</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of jumbo=20
packs:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of foot =
warmers:=20
1</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of knee=20
wraps:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of wrist=20
wraps:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of keyboard=20
packs:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of shoulder=20
wrap-s:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of cool=20
downz:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:41> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0941; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of =
hats-black:=20
</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>number of =
hats-gray:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0942; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of hats-navy: =
</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>number of =
hats-red:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0942; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>number of =
hats-rtcamo:=20
</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42><SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:42> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN></INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39> <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>number of=20
hats-orange:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>do you want it =
shipped to a=20
friend:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt">=20
<INS cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:43></INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:39>name:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>their =
address:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>their =
city:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>their =
state:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>their =
zip:</INS></SPAN><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA =
dateTime=3D2005-09-20T09:43> </INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39>cgiemail =
1.6</INS></SPAN></P>
<P class=3DSC2=20
style=3D"MARGIN: 6pt 1in 0in 0in; mso-style-name: SB; tab-stops: .5in; =
mso-list: none; mso-list-ins: UNOLACA 20050920T0943; mso-prop-change: =
UNOLACA 20050920T0941"><SPAN=20
style=3D"FONT-SIZE: 11pt; FONT-FAMILY: Arial; mso-bidi-font-family: =
'Times New Roman'; mso-bidi-font-size: 10.0pt"><INS=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:39></INS></SPAN>I could =
not believe=20
it.<SPAN style=3D"mso-spacerun: yes"> </SPAN>They had sent out =
my credit=20
card data in clear-text to an AOL email account.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>How could this be?<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>They were obviously =
technically savvy=20
enough to understand the need to use SSL encryption when clients =
submitted=20
their data to their website.<SPAN style=3D"mso-spacerun: yes"> =
</SPAN>How=20
could they not provide the same due diligence on the back-end of the=20
process?</P>
<P class=3DSB style=3D"MARGIN: 6pt 1in 0pt 0in">I was hoping that I =
was somehow=20
mistaken.<SPAN style=3D"mso-spacerun: yes"> </SPAN>I saw a =
banner message=20
at the end of the screen that indicated that the application used to =
process=20
this order was called "cgiemail 1.6".<SPAN style=3D"mso-spacerun: =
yes"> =20
</SPAN>I therefore hoped on Google and tried to track down the details =
of this=20
application.<SPAN style=3D"mso-spacerun: yes"> </SPAN>I found a =
hit in=20
Google that linked to the cgiemail webmaster guide. <SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I quickly reviewed the =
contents and=20
found what I was looking for in the "What security issues are there?"=20
section:</P>
<P class=3DSB style=3D"MARGIN: 6pt 1in 0pt 0in"> </P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.25in; mso-margin-top-alt: auto; =
mso-margin-bottom-alt: auto"><FONT=20
size=3D2>Interception of network data sent from browser to server or =
vice versa=20
via network eavesdropping. Eavesdroppers can operate from any point on =
the=20
pathway between browser and server. </FONT></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.25in; mso-margin-top-alt: auto; =
mso-margin-bottom-alt: auto"><FONT=20
size=3D2><BR><EM><SPAN=20
style=3D"FONT-FAMILY: Arial; mso-bidi-font-family: 'Times New =
Roman'">Risk: With=20
cgiemail as with any form-to-mail program, eavesdroppers can also =
operate on=20
any point on the pathway between the web server and the end reader of =
the=20
mail. Since there is no encryption built into cgiemail, it is not =
recommended=20
for confidential information such as credit card numbers. =
</SPAN></EM><SPAN=20
style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Arial Unicode =
MS'"></SPAN></FONT></P>
<DIV=20
style=3D"BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: =
medium none; PADDING-LEFT: 0in; PADDING-BOTTOM: 1pt; MARGIN-LEFT: 0in; =
BORDER-LEFT: medium none; MARGIN-RIGHT: 1in; PADDING-TOP: 0in; =
BORDER-BOTTOM: windowtext 1pt solid; mso-element: para-border-div; =
mso-border-bottom-alt: solid windowtext .75pt">
<P class=3DSBX=20
style=3D"BORDER-RIGHT: medium none; BORDER-TOP: medium none; MARGIN: =
6pt 0in 0in; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; =
mso-style-name: SB; mso-prop-change: UNOLACA 20050920T0943; =
mso-padding-alt: 0in 0in 0in 0in">Shoot,=20
just as I suspected.<SPAN style=3D"mso-spacerun: yes"> </SPAN>I =
then spent=20
the rest of the day contacting my credit card company about possible=20
information disclosure and to place a watch on my account.<SPAN=20
style=3D"mso-spacerun: yes"> </SPAN>I also contacted the =
company by=20
sending an email to the same AOL address outlining the security issues =
that=20
they needed to deal with.<SPAN style=3D"mso-spacerun: yes"> =
</SPAN>To=20
summarize this story – Use of SSL does not a "secure site" make. =
</P>
<P class=3DSBX style=3D"MARGIN: 6pt 1in 6pt 0in"><SPAN =
class=3DmsoDel><DEL=20
cite=3Dmailto:UNOLACA dateTime=3D2005-09-20T09:43><FONT=20
color=3D#ff0000> </FONT></DEL></SPAN></P></DIV></DIV>
<DIV> </DIV>
<DIV>-- <BR>Ryan C. Barnett<BR>Web Application Security Consortium =
(WASC)=20
Member<BR>CIS Apache Benchmark Project Lead<BR>SANS Instructor: =
Securing=20
Apache<BR>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<BR>Author: Preventing Web =
Attacks=20
with Apache <BR><BR> </DIV>
<DIV><SPAN class=3Dgmail_quote>On 3/28/06, <B =
class=3Dgmail_sendername>Lyal=20
Collins</B> <<A=20
=
href=3D"mailto:lyal.collins@key2it.com.au";>lyal.collins@key2it.com.au</A>=
>=20
wrote:</SPAN>=20
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: =
#ccc 1px solid">
<DIV style=3D"DIRECTION: ltr">
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>While this =
doesn't answer=20
the question about incident data it may be =
useful...</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>Requirement 3 =
goes on to=20
specify encrypted databases, minimise the volume of card data held =
among=20
other things.</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>These 2 =
requirements mostly=20
affect the theft of the physical storage media since it's =
pretty=20
difficult, imho to prevent a worstation user from masquerading =
as an=20
application call to the database/repository. </FONT></SPAN></DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff=20
size=3D2>Multi-layer</FONT></SPAN><SPAN> <FONT face=3DArial =
color=3D#0000ff=20
size=3D2>DMZ, with the DB in its own tightly limited access network=20
environment, and separation from app servers etc are also =
necessary.=20
</FONT></SPAN></DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>And these =
sorts of=20
requirement exists elsewhere in PCI - Section 1.3.5, and =
section=20
2.2.1 for example</FONT></SPAN></DIV>
<DIV><SPAN></SPAN><SPAN><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>Requirement 4 =
addresses=20
issues other than attack-based sniffing - e.g. proxy servers that =
cache=20
GET/POST request data, IDS's that log all packets for post-incident =
analysis=20
etc, and simple routing errors. </FONT></SPAN></DIV>
<DIV><SPAN></SPAN><SPAN><FONT face=3DArial color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>If servers =
and apps were=20
strongly locked down, then attackers would focus on the next weakest =
barrier=20
in the security environment - and network sniffing, and traffic =
redirection=20
via ARP or DNS poisoning would probably be higher on the list of=20
threats </FONT></SPAN></DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>So as I think =
about this=20
question, it seems that PCI should be considered in its entirety, =
not just=20
single sections, when it comes to addressing risks.</FONT></SPAN> =
</DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff size=3D2>Just a few =
random=20
thoughts</FONT></SPAN></DIV></SPAN></DIV>
<DIV style=3D"DIRECTION: ltr"><SPAN class=3Dsg>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff=20
size=3D2>Lyal</FONT></SPAN></DIV></SPAN></DIV>
<DIV style=3D"DIRECTION: ltr"></DIV></DIV>
<DIV style=3D"DIRECTION: ltr"><SPAN class=3De =
id=3Dq_10a3fded63f9f6b2_3>
<DIV><SPAN><FONT face=3DArial color=3D#0000ff =
size=3D2></FONT></SPAN> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"MARGIN-RIGHT: =
0px"> </BLOCKQUOTE></SPAN></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></BO=
DY></HTML>
------=_NextPart_000_0001_01C65309.517E98A0--
Brought to you by http://www.webappsec.org