Monday, September 26, 2011

The Accidental Hack

Today I came across an issue that after walking around in several circles has shown to have a very simple solution. Maybe another instance of Occam's razor.

A little background information is needed. When a member uses their insurance and a claim is submitted, a process picks this up and sends out an email with a link to view this information. The URL is member agnostic and simply places the date of the claim. For instance www.example.com/foo?date=1/1/2010. When the user navigates to the URL, they are prompted to login. Upon successful login, any claims for the date on the URL are listed.

So, we get a help desk ticket stating that a member, Martha Smith, got such an email. When she clicked on the email, she logged in with msmith and saw claim information for John Smith. An obvious security and privacy issue was clear. So the hunt began. We store email information in two locations. We looked up John Smith's and Martha Smith's information and email settings all checked out. It was noted that msmith is John's username and not Martha's.

After some talking to people, the real story became clear. You see, John's email address was mary@domain.com. So, msmith doesn't stand for Martha Smith, but Mary Smith. So it would seem as though Martha forgot her username and guessed msmith. After a few tries, the account was locked. She went through the process of unlocking the account and successfully guessed the security question. This enabled her to reset the password and login. When she finally logged in, she saw John's claim information, not because of any technical issue, but simply because she logged in as him.

This whole story reminds me of this essay.

Wednesday, August 10, 2011

PAF Hell

Here is the story of one PAF as it made its way through our processes. The names have been changed to protect the innocent. ;-)

NOTE: None of the applications moving are in ClearCase. Project management documents had to be moved into ClearCase mid-project because a Facets Extension change had to be made.


12/17/2009 – Sent PAF out for approval to Brent Smith, Jim Peterson, Mary Pearson, Brad Jules, QA, and Jami Robertson
12/18/2009 – Received PAF approvals from all except Brad Jules and QA.
12/18/2009 – QA informed me that they could not see the PAF in ClearCase.
12/21/2009 – Checked PAF into ClearCase. Sent email to QA also stating that all required approvals are now in as well.
12/21/2009 – Received approval from QA.
12/21/2009 – Sent email to CM requesting baseline of PAF.
12/21/2009 – Made arrangements with Web Architects for deployment on Tuesday 12/22 thinking baseline and other CM processes would still be completed 12/22.
12/22/2009 – Received rejection email from CM stating that PAF was not checked in using WorkRequest BCBST00020702 under the Unified Change Management Tab.
12/22/2009 – Re-assigned WorkRequest BCBST00020702 to me and checked out the PAF and checked it back in. Attached to WorkRequest. Sent back to CM for baseline.
12/22/2009 – Received rejection email from CM stating that two documents (Brad Jules’ approval and QA approval) were not in the WorkRequest attachments.
12/22/2009 – Added QA approval to attachments on WorkRequest. Sent baseline request back to CM stating that Len is not in the “minimum required approvals” list in the PAF.
12/23/2009 – Received phone call from CM explaining that all names listed in the PAF must approve even if they are not in the minimum required box.
12/28/2009 – Received Brad Jules’ approval. Tried several times to add to ClearCase and got errors. Unable to add document. Emailed issue to Rational ClearCase mailbox.
12/28/2009 – Received email from Rational ClearCase / Steve Mail stating that the error is caused by ClearCase’s limit of 1024 bytes for the Windows PATH variable and I would need to contact the help desk to fix shorten path variable.
12/28/2009 – Shortened my own path variable since I am admin on my machine. Reassigned the WorkRequest to me, copied the approval document to ClearCase, checked it in, attached it to the WorkRequest in ClearQuest, reassigned to CM, sent email stating my ClearCase problem had been resolved and requested baseline.
12/29/2009 – Received rejection email from CM stating that they needed new approvals from PM, DM, Req., and Mary Pearson as their approval timestamps were prior to the current PAF timestamp in ClearCase. I do not know how the PAF timestamp changed, it may have happened when I had to check out and back in under WorkRequest BCBST00020702 on 12/22.
12/29/2009 – Changed the date range on the PAF since date had already passed, reassigned WorkRequest BCBST00020702 back to me, checked in PAF. Sent out new approval request email to all parties.
12/29/2009 – Received all approvals except Mary Pearson who was out of the office.
12/29/2009 – Sent email to QA requesting permission to proceed with Jim Peterson’s approval since Mary reports to Jim. Received ok from QA.
12/29/2009 – Checked new approvals in to ClearCase, attached documents to WorkRequest, reassigned WorkRequest to CM. Sent email to CM requesting baseline.
12/30/2009 – PAF baselined.
12/31/2009 - Received CAR (Corrective Action Required for not following procedure).
12/31/2009 - Picked up job application from Taco Bell. ;-)