Author Topic: Enormously Frustrated with Unidata  (Read 13884 times)

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1612
    • Precision Solutions
Enormously Frustrated with Unidata
« on: March 02, 2010, 10:03:25 AM »
A few days ago we found out that many (most?) Prelude sites are storing unencrypted credit card information.  Up to this point, it's a security hole.  In a few months, however, it's going to become a federal compliance issue leading to fines and fees and all sorts of fugly.  At the risk of sounding a scare horn, we need to get this information encrypted, and the sooner the better.

In digging through the Unidata manuals, I found a nice little function that should serve the needs quite nicely.  The "ENCRYPT()" function is supposed to allow data to be encrypted and decrypted through a number of symmetric algorithms.  If only it were that simple.  Apparently - and I'm still trying to get to the bottom of this part - the function was released in Unidata 6.0, but wasn't actually made functional until 7.1.  Of course, this does absolutely zero for those sites that are happily making a living on systems pre 7.1.

While Unidata has definitely wet the bed on this issue, we are fortunately not without options.  SB+ has encryption baked into it and we can use that for Prelude encryption.  I just need to get this plugged into the Prelude encryption and decryption routines (which I believe have been in place since... v18?) and we should be good to go.
-Kevin
Accidents "happen"; success, however, is planned and executed.

Colin Alfke

  • Professional
  • ***
  • Posts: 23
Re: Enormously Frustrated with Unidata
« Reply #1 on: March 03, 2010, 07:00:08 AM »
There are also alerts on 7.1.20 and 7.2 regarding encryption. Not sure what happens if you skip those versions - but I would make sure before committing to an upgrade.

Colin

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1612
    • Precision Solutions
Re: Enormously Frustrated with Unidata
« Reply #2 on: March 03, 2010, 07:49:07 AM »
What kind of alerts?
-Kevin
Accidents "happen"; success, however, is planned and executed.

Alex Copeland

  • Professional
  • ***
  • Posts: 23
  • Artist's rendering
Re: Enormously Frustrated with Unidata
« Reply #3 on: March 18, 2010, 04:47:24 PM »


While UD may have let us down with encryption, here's something that may help: GnuPG http://www.gnupg.org.  You can encrypt stuff with it pretty easily, plus it's free and GPL'ed. Mike Perzl has a compiled RPM of GnuPG at his site: http://www.perzl.org/aix/index.php?n=Main.Gnupg

You can do simple symmetric cipher encryption like

Code: [Select]
echo "stuff I want to encrypt" | gpg -c > encrypted.file
In such a manner, you could do something like:
Code: [Select]
VERB="! echo ":CCINFO:" | /opt/freeware/bin/gpg -c -a"
EXECUTE VERB CAPTURING DSP

Then your encrypted info is in DSP to do with as you want.  To decrypt:
Code: [Select]
VERB="! echo ":ENCRYPTEDCC:" | /opt/freeware/bin/gpg"
EXECUTE VERB CAPTURING DSP

gpg here will ask for a passphrase, but I think you can generate a key and encrypt against that so it doesn't ask for a passphrase each time.

The Friendly Manual:
http://www.gnupg.org/gph/en/manual.html


--Alex

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1612
    • Precision Solutions
Re: Enormously Frustrated with Unidata
« Reply #4 on: March 18, 2010, 04:54:33 PM »
That's good info Alex, thanks.  I use GPG all the time for secure email and attachments.  I wonder, however, how calling a program outside of Unidata might be viewed by a PCI-DSS auditor?  With my black hat it seems like it could be a convenient point for an insertion attack, or at least potentially interpreted that way by a zealous auditor.

Your thoughts?
-Kevin
Accidents "happen"; success, however, is planned and executed.

Alex Copeland

  • Professional
  • ***
  • Posts: 23
  • Artist's rendering
Re: Enormously Frustrated with Unidata
« Reply #5 on: March 18, 2010, 09:06:23 PM »
I don't think that I'd want a PCI-DSS auditor anywhere around my Prelude/UniData system if it had anything to do with storing credit card information -- the whole security model is flawed.

Any UniBASIC program in a stock Prelude install is a convenient point for an attack.  It would be a trivial exercise for someone with access to a system to replace a program with a malicious piece of code. 

I'd not worry about the call outside of UniData so much as I'd worry about the program that contains the call to the outside program.

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1612
    • Precision Solutions
Re: Enormously Frustrated with Unidata
« Reply #6 on: March 19, 2010, 07:33:12 AM »
Point well made and equally well taken, Alex.  It's even easier when encryption keys are stored as strings right inside the code, which not only give the keys in the source, but also in the object if the source is stripped.  Fortunately, I have a solution for the encryption key issue in object code.
-Kevin
Accidents "happen"; success, however, is planned and executed.

DonQuixote

  • Rock Star
  • *****
  • Posts: 205
  • To Dream the Impossible Dream...
Re: Enormously Frustrated with Unidata
« Reply #7 on: March 19, 2010, 03:37:44 PM »
I have Unidata 6.1 and the ENCRYPT()  command works.
Prelude had created two subroutines that also work for encryption.
PSI.ENCRYPT
PSI.DECRYPT

precisonline

  • President
  • Administrator
  • Rock Star
  • *****
  • Posts: 1612
    • Precision Solutions
Re: Enormously Frustrated with Unidata
« Reply #8 on: March 19, 2010, 03:41:55 PM »
Yes, but the versions of PSI.ENCRYPT and PSI.DECRYPT that I've seen didn't work because the Unidata encryption didn't work, and besides, the decryption key is right there in the source and object code, so it's not really all that secure.
-Kevin
Accidents "happen"; success, however, is planned and executed.

slestak

  • Uber-Pro
  • ****
  • Posts: 77
Re: Enormously Frustrated with Unidata
« Reply #9 on: January 17, 2011, 12:18:24 PM »
That's good info Alex, thanks.  I use GPG all the time for secure email and attachments.  I wonder, however, how calling a program outside of Unidata might be viewed by a PCI-DSS auditor?  With my black hat it seems like it could be a convenient point for an insertion attack, or at least potentially interpreted that way by a zealous auditor.

Your thoughts?

Along these lines, udt is likely making a call out to an external program.  At least here we can prove the provenance of the encryption and re-encrypt with a newer version if the gpg routine was needing updating.  Just like with the xml libraries and base64 libraries in udt, pretty much what you get is what you get until your next upgrade.