Biscom Delivery Server

This is a great story about BDS in a software as a service (SaaS) environment. BankLiberty was looking for a faster, more secure, and more efficient way to send their confidential information out. KDSA Consulting, our partner in North Andover, MA, hosts our secure file transfer solution in their datacenter, handling the back end so our customers don’t have to worry about hardware, software, and network connectivity.

My favorite quote in the article, by network administrator Dan Hagstrom, was when he said that “the results in 2010 have been transformative. It’s changed the way that we can communicate with the outside world.”

SQL injection is still out there as an attack. It worked against Twin America LLC, and it was only discovered this past October, after hundreds of thousands of records were stolen. It’s a well known ploy – you take advantage of web sites that have a form for inputting information. If a site doesn’t employ techniques to nullify SQL injection, an attacker can easily see your entire database, which often includes usernames, passwords, and account information, or worse, download the information and then destroy the database.

Two common areas that are potentially open to attack are unfiltered escape characters, and poor type handling. In an unfiltered web form, a form variable is plugged directly into a SQL statement. If I crafted just the right input, I could potentially append my own SQL clause to the one being executed. The classic example is:

SELECT * FROM user_table WHERE username = ‘ ” + username + ” ‘;”

If instead of a valid username, I entered  ‘ or ’1=1, I’d now be running this statement:

SELECT * FROM user_table WHERE username = ‘ ‘ OR ’1′=’1′;

The OR ’1′ = ’1′ clause will always evaluate to true, retrieving all columns from the user table.

A second potential hole exists if the programmer does not check for type constraints. If a SQL statement is expecting a number, the input to supply that variable should be checked to make sure it truly is a number. Again, like the trick above, I could insert an entirely new statement like DROP TABLE user_table after entering a number into a form. The back end would then execute whatever statement I presented to it.

There are several techniques to protect a Web application from these types of attacks, including the use of parameterized statements, or even escaping characters that have a special meaning in SQL. But programmers have to be diligent about adding this protection, because hackers will find even the smallest hole and take advantage of it.

Biscom spends its time worried about these types of hacks, so you don’t have to. Countless penetration tests have proven our security model. We think our customers want a secure file transfer solution that is actually secure.

I’ll be speaking with Dave Brown from Rockland Trust (see previous blog entry) at the AIIM show in Philadelphia (March 30-April 2, 2009) and AIIM has been kind enough to provide a $200 discount for any new attendees. You can get the discount code here.

It’s going to be a fun session — Dave has a great story to tell, and I hope it helps others see the potential for a secure file transfer solution in their organization.

Biscom Delivery Server is being used in a lot of different ways — sending medical records and clinical data securely, sharing large multimedia files with design studios and PR agencies, distributing software to customers, and working with local, state and federal government agencies.

But one of our more interesting customers is Rockland Trust, a regional bank here in Massachusetts that is one of the few banks that is actually doing well and growing. Dave Brown, their AVP Information Risk/Security Architect, is what I’d call someone with vision. Or at least he saw the potential for BDS in his company. Dave and I are going to be co-presenting at the AIIM 2009 show in Philadelphia on April 1, 2009 on how Rockland Trust is using BDS to address multiple secure delivery projects internally as well as externally.

One of Dave’s many hats involves handling the data transfers when Rockland Trust acquires another bank. These bank conversions involve moving all customer information, deposits, historicals, and balances so that the customers of the acquired bank can, for example, go to an ATM for either of the banks, and get cash out. It’s also nice when the account balances are correct.

Dave’s been doing bank conversions for 20 years, has executed hundreds of acquisitions, and I don’t think I’m going out on a limb when I say he’s pretty much an expert on this. So, I take his word when he says that before BDS, there was a lot more to worry about, including whether the magnetic tape backups would be delayed because an airport’s snowed in (yes, this really happened!), or if the the tapes would arrive corrupted, or even if the reel to reel systems of the two banks would be compatible. There are a number of potential issues.

Dave used BDS in an acquisition recently and it apparently went so well, he’s “rewritten the book” on bank conversions, and BDS is now part of Rockland’s SOP. He now includes BDS in the project plans of all his acquisitions, and by doing so, the cut over is seamless for the bank’s customers. Instead of closing on Friday, and re-opening Monday, the acquired bank can be open for business on Saturday morning. The ROI for that is something we’re still trying to figure out, but think about this: no opportunity costs of a branch being closed for one or more days, customers don’t have to wait several days before being able to access their accounts via ATM or online, and the increased confidence and trust customers will have with a bank where everything is handled quickly, efficiently, and smoothly.

So, if you’re going to AIIM this April, you can hear Dave talk about how Rockland Trust is using BDS, not just for bank conversions, but also in all other parts of the organization.