|
It is currently 11 May 2024, 14:18
|
View unsolved topics | View unanswered posts
|
|
|
|
Author |
Message |
teddanson
|
Post subject: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 18 Mar 2021, 11:31 |
Absolute fan |
|
|
Joined: 16 Nov 2018, 14:21 Posts: 1570 Location: New Delaware Has thanked: 448 times Been thanked: 496 times
|
Just a question that's circling my noggin' for a while and thought to ask. Is the site GDPR and PCI DSS compliant? I guess in terms of pseudonimisation and PII and all the rest of it I'm asking are database entries given the salt and pepper treatment and so on. I imagine a SAR request would yield little given we all use usernames/pseudonyms and so on. But is financial and PII data looked after and how? Understood if the answer needs to be somewhat coy in terms of protecting the integrity of the site. I'm just curious more than anything.
_________________ Blog: The Coterie / L'boxd: Diary Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
|
|
|
|
|
admin
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 18 Mar 2021, 16:15 |
Site Admin |
|
|
Joined: 07 Aug 2002, 23:37 Posts: 4569 Location: Tokyo Has thanked: 299 times Been thanked: 1166 times
|
teddanson wrote: GDPR / PCI DSS / pseudonimisation / PII / salt / SAR Since you seem to know what these words mean, could you enlighten us? I have a cookie validation popup (yearly), a Privacy section, passwords are salted and hashed one-way, and accounts are deleted when someone requests it. I do not have financial information such as CC numbers or other Government IDs, etc. It's REALLY simple and minimalist. What else is needed? Julien
_________________ HARDWARE DATABASE HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
|
|
|
|
|
teddanson
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 18 Mar 2021, 17:26 |
Absolute fan |
|
|
Joined: 16 Nov 2018, 14:21 Posts: 1570 Location: New Delaware Has thanked: 448 times Been thanked: 496 times
|
admin wrote: teddanson wrote: GDPR / PCI DSS / pseudonimisation / PII / salt / SAR Since you seem to know what these words mean, could you enlighten us? No offence intended. I wasn't being pedantic, I'm just curious how it's managed with regards the storefront and thanks for the insight. From what you've said it's a tight ship, that was never in doubt! For anyone unfamiliar with the acronyms I'm referring to, hopefully this helps: GDPR: General Data Protection Regulation. More information here: https://gdpr.eu/PCI DSS: Refers to data security standards around payment methods. pseudonimisation: Is data, more specifically personal data, if any, able to be linked to a user or is the data randomised/encrypted/pseunonimised etc? More of a GDPR thing but also security. PII: Personally identifiable information. E.g. name, address, date of birth etc salt/pepper: Refers to data that's appended to existing data e.g. databases and adding data to a password that has been hashed, for example. SAR: Subject access request. Requesting your data from an organisation.
_________________ Blog: The Coterie / L'boxd: Diary Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
|
|
|
|
|
teddanson
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 18 Mar 2021, 17:37 |
Absolute fan |
|
|
Joined: 16 Nov 2018, 14:21 Posts: 1570 Location: New Delaware Has thanked: 448 times Been thanked: 496 times
|
signofzeta wrote: I seriously thought you made that stuff up. Never in my life have I read a forum post with so many terms totally unknown to me. Reading it again...still looks like a gag, but there don’t seem to be any jokes. Ah no, not my intention at all. My explanation of each acronym is a little brief, apologies I just knocked it up quick and dirty. Legitimate questions and no offence intended to anyone.
_________________ Blog: The Coterie / L'boxd: Diary Pioneer CLD-R7G, CLD-D925 | Yamaha APD-2 | DVDO Edge, VP50 Pro
|
|
|
|
|
admin
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 19 Mar 2021, 02:45 |
Site Admin |
|
|
Joined: 07 Aug 2002, 23:37 Posts: 4569 Location: Tokyo Has thanked: 299 times Been thanked: 1166 times
|
Extra details: Since the website is nearly 20 years old, I had my share of learning about the "bad guys" out there. 0/ Up to date Debian 10/recent kernelSPECTRE, MELTDOWN and ZombieLoad mitigated: The latest CPU bug headache: ZombieLoad1/ China and Iran IPs are constantly blocked. Too many hack attempts. 2/ TOR exit nodes are blocked. I don't like anonymous hacking. You can see on https://banhammer.lddb.com/ that the world spam/hack center is Brazil these days. But we do have some good members from Brazil, can't block the whole country. 3/ I had the database crash twice in the past. One time was recoverable, the 2nd time was not. Now I backup EVERYTHING daily in a distant storage + log every modifying SQL query in a local text file. In theory we can at most lose 24h if everything burns down -- like it happened to many websites at OVH Strasbourg last week. 4/ Also had a successful SQL injection hack in... 2014? They found a way to access the password stored in the database but quickly realized they were hashed+salted and gave up. Then they checked my sister's eShop database and found the Credit Card table empty and completely gave up. Another successful hack (well, more of a cache poisoning) fixed here: HACK ATTEMPT on LDDb.comSince then, anything resembling a SQL statement in a HTTP query will get your banned for 1 month. Trying again will block you for 12 months. Same for trying to get SMTP or IMAP account passwords. 5/ I follow reports like https://www.openbugbounty.org/reports/1566947/As far as I can tell, I fixed all the bugs but the website is not updating to reflect that. 6/ No more username with @ that are actually the account email address 7/ No more disclosing the seller's address in a buying transaction notice 8/ Accessing 2 non-existing (404) pages in a row will block you for a while. All internal links are valid, you should never click on a bad one unless you modified something manually. 9/ I have a special welcome message for script kiddies running automated attacks with popular scripts bundles. If you think about something else, I'm interested! Julien
_________________ HARDWARE DATABASE HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
|
|
|
|
|
cplusplus
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 19 Mar 2021, 03:40 |
Hardcore fan |
|
|
Joined: 13 Aug 2018, 03:18 Posts: 1529 Has thanked: 454 times Been thanked: 592 times
|
admin wrote: If you think about something else, I'm interested! Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager. Sanitization everywhere, but still use prepared statements with user input. Glaring logs in parts of the code where funny business can happen.
|
|
|
|
|
admin
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 19 Mar 2021, 03:55 |
Site Admin |
|
|
Joined: 07 Aug 2002, 23:37 Posts: 4569 Location: Tokyo Has thanked: 299 times Been thanked: 1166 times
|
cplusplus wrote: Keeping all of your packages up to date on Debian stable can proactively mitigate a good chunk. Keep up to date on release notes for stuff you installed outside of the package manager. My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things. The code base started on PHP4! It's the next code upgrade I need to work on. cplusplus wrote: Sanitization everywhere, but still use prepared statements with user input. I learnt that the hard way... Fixed a lot of issues there. But they need to try many permutations before finding anything useful. 99.99% of the time the weird URLs will get them banned right away. cplusplus wrote: Glaring logs in parts of the code where funny business can happen. Fail2ban (instant email notification to me) Apache logs (keeping 4 weeks worth) take care of that Julien
_________________ HARDWARE DATABASE HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
|
|
|
|
|
cplusplus
|
Post subject: Re: Is LDDB GDPR / PCI DSS / B&Q / ICI compliant? Posted: 19 Mar 2021, 21:59 |
Hardcore fan |
|
|
Joined: 13 Aug 2018, 03:18 Posts: 1529 Has thanked: 454 times Been thanked: 592 times
|
admin wrote: My only weakness is to be still running on PHP5.6 because moving to PHP7 breaks down a LOT of things. Yeah a good chunk of the internet is still on PHP5. I'm not sure if you have looked at something like https://github.com/sstalle/php7ccIt is deprecated, but the other go-to scanners require PHP7. PHPStorm is nice too, but expensive. You might could get everything done within the 30 day trial though. I think it has a migration tool or inspector. Also helps you see stuff like "variable used but not declared" (PHP insanity, and I don't mean "variable declared but not used"!)
|
|
|
|
|
|
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
|
|