Pete Finnigan's Oracle Security Weblog

Credit card security should be important for all those concerned with handling and processing credit cards. My company does security audits of Oracle databases and we quite often get involved in credit card security. We are not QSA's and are not dong QSA type audits but often as part of our Oracle database security audits we find glaring issues related to credit card processing or storage in Oracle databases. I know how important it is to companies that credit card details are secured and handled properly. I travel a lot with business across the UK, Europe, middle east and occasionally further so get involved in booking hotel rooms for business trips; either through my own company or because clients books rooms for me.

What is starting to annoy me is how hotels and companies outside the UK (I have to say none of these issues have occured in the UK to me personally yet, i guess it doesn't mean they won't happen) are handling personal data and particularly credit card details and even passports.

I have had a lot of requests from hotels to send all my card details to them so that i can book a room. Here is an example. Last week a client booked a hotel for me in Europe and I recieved a confirmation email for the hotel booking with a booking reference BUT its accompanied by an email that says I need to scan both sides of my credit card; provide on a form, the name on card, expiry date, card number, start date and my signature. The scan of the card also would give them the CVV. This is enough detail to make payments on-line as me. What would my card company say if someone made fraudulent payments on my card and i said "hey, these are payments here are fraudulent and by the way I provided this detail in writing along with scans to a hotel via email and i have no idea where they stored this data or held it or indeed who they gave it to". Would they say, its fine sir we will cover the loss, or well sir you have been negligent by giving these details to a hotel?

This is not an isolated case; literally all hotels I have been involved in booking lately are doing this. They want this data in an ad-hoc way in printed format often sent to generic email addresses. A hotel a month ago was using a gmail account for this very purpose and they expected me to send my details to a gmail account. In all cases I refuse to comply and insist that I call and if they wish they can pre-authorise the card and send me proof that they did it. This is no different to booking on line or over the phone I guess. Sending your card details and scans of the card sounds crazy to me. So far no hotel has refused to honour the booking when i refuse to email and send details in a printed format.

I also did a test case for a middle east/gulf hotel where I refused to send my card details so i gave a completely bogus card number (made up) over the phone. When i checked out of the hotel (which was some weeks after booking and the call) they obviously tried to put the transaction though their card machine at checkout and it failed. I handed over my correct card and it was fine; so at least in this case they must have written down the wrong card number or entered it in their database and never pre-authorised it. What therefore in this case was the point of asking for it. If i didnt turn up they would not be able to charge the fisrt night for instance.

I was happy in this case as I didnt want my card number stored on their hotel database so far from the UK. This is becoming a trend in my experience with hotels that is most likely driven by people booking and then not turning up and the hotel wanting to be able to charge but for me its not good enough to store my card details on paper or in email systems or ....

I have also seen a return to the days of trying to hold on to my passport as I attend a companies building or checkin to a hotel.

I remember this process years ago but have not seen it personnaly again until recently. I checked into a hotel a few weeks ago and they wanted to photo-copy my passport. They had my details on my booking and had pre-authorised my card but they said they wanted to copy my passport. I asked why? they could not tell me; they just said its hotel policy so I said I dont have a passport; they said OK, then your identity card (I said luckily we don't have these in the UK) or driving license. I said I dont have any of these either. They said OK, and continued to check me in. No common sense; how did i arrive in that country with no ID, obviously i have ID and i did carry it woth me at all times; I just dont feel comfortable to have them take copies and keep them who knows where and for who knows how long. If they are collecting this for their government then why can they not tell this is the reason and what the actual purpose of it is. The country knows I entered their soil as my passport was scanned as I went through passport control some one hour before.

I had the same experience in another country a few weeks ago when I arrived at a clients office i was asked to surrender my passport to some woman at the desk in return for a "plastic token". The woman then placed my passport in a carousel that is accessible to any visitor to this building. She then escorted me to the lift and swiped me into the lift; i.e. she left the carousel to be plundered by anyone else visiting - it was reachable by anyone. She could not speak a word of English so to get into the client I had no choice. The client came back downstairs immediately and retrieved my passport for me. The silly thing was to leave this building later the client had to swipe themselves out and then pass the badge to me over the barrier to allow me to swipe out as the barrier was un-manned. We discussed this (taking of my passport) during my time there are I was told its to prevent terrorism. It was interesting also that they had a metal detector and x-ray scanner at the building entrance but i was motioned to avoid that by the woman at the front desk and instead to come straight to the desk to her - I was not asked to go back and be scanned after speaking to her. So keeping peoples passports was deemed to be a deterant against terrorism but not actually protecting the building (i.e. bypassing the scanners and barriers) was OK and clearly doesn't prevent issues. This to me is a "jobsworth" problem not a true intent to secure their building.

In this age of identity theft I am not happy that these two things happen. The first regards credit card details being far more common in my experience over the last year or so. The credit card companies need to get on top of this and ask hotels and others to stop asking customers to copy their cards with scanners and photo-copiers or send all details and their signatures. Simply have a card pre-authorised as that seems logical if they want to ensure payment if a guest doesn't turn up. If the real reason is collecting data about people then we should know why. The fact that all hotels now seem to be doing it is a worry for loss of identity.

The latter part of the title of this blog post first!. I submitted a couple of entries for the up-coming UKOUG Oracle conference this year; I hope that they will be accepted. The Judging process is on going now. The conference is moving this year to Manchester from its normal home of the ICC in Birmingham so it will be good to be in a new venue. I volunteered for the abstract judging as I normally do and the thing that struck me this year is that there is a good number of talks submitted on Oracle security so it should be a good conference; excellent!

The second part of this short blog is that whilst looking at the broken web site earlier this week Marcel-Jan sent me an email to let me know that he could not access a forum post that he had made recently titled "oracle-enum-users doesn’t work on Nmap 6.25" that he could not longer access. This was due to my webserver file system telling itself that it was read only; an aspect of the disk issues we were having. In Marcel-Jan's post he referenced his blog and I made a note to mention it here. Marcel-Jans Oracle Blog is excellent and includes a number of posts around Oracle security, these include:

1) discussing nmap against the Oracle listener
2) the subject of Marcel-Jans post on my forum which was that the oracle-enum-users didnt workin his testing for an upcoming talk,
3) hacking Oracle as a way to learn why you need to secure it
4) Public database links are a problem
5) creating Oracle database honey pots
6) auditing the listener
7) a good discussion of worms and Oracle

and many more, head over to Marcel-Jans Oracle blog for more details.

For the last week some of you may have noticed issues with our website PeteFinnigan.com as at times it failed completely or was giving 403 errors even where there was no protected regions of the site and at some other times the forum was not working when you tried to access forum posts. Also the "visitors on line" tag line was showing an error. The issue related to a failing disk on the server that our site is hosted on. We tried to work around this to avoid a full site migration and full rebuild for a while to no avail and now finally yesterday the website has been moved to a new server, new disks of course and is now fully migrated and working again properly. Well the public side is working, we still have some admin functions to get running again.

So if you found we were not live in the last week, sorry for that and hopefully you can now find what you are looking for. The site is back.

Our products PFCLOBfuscate to protect and secure PL/SQL and our database scanner PFCLScan are on seperate websites and hosts so these were not affected.

My company started with my PeteFinnigan.com website a long time ago, indeed the site existed before the company hence it made a good vehicle to use as my limited companies name and so my company was born just over ten years ago using the name of my existing website. The website still has the look and feel of a private persons website collecting information on Oracle security and of course talking about Oracle security. i have been reluctant to change that over the years as in one sense I like the approach that we live and breath Oracle security but we also sell training, securty audits of Oracle databases and also consulting and design around areas such as Oracle Label Security, Virtual Private Database, Fine Grained Audit, encryption, Security controls and well indeed anything related to Oracle Security.

Also we have created our two software products PFCLObfuscate to protect PL/SQL and SQL and also PFCLScan to scan and test databases for security compliance. We also have two other software products coming soon.... more details about those later....

We have been very successful over the years providing Oracle Security services, training and products from a company named after my website and also to a lot of big and small clients worldwide but with a site that looks a little more like a personal site. I have been mulling over recently that we should make it look more professional (Note: to people cold selling web design and seo services this is not an invitation to offer these to me!!!) and more product/service oriented and remove the big picture of myself. ,

I will let you know what we decide and finally if anyone finds any area of the site still broken that we have missed please let me know.

Bye for now!