Hack Us

  • Comments posted to this topic are about the item Hack Us

  • It appears to be a sensible approach when also taking the considerations of publicity and cost into account.

    It is key that they have excluded particular parts of their systems from this promotion but they must be aware that they have raised the likelihood of these being attacked regardless.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Some of us might worry that all the code we've cut and pasted will have the same issue in many places

    Oh come on, all of the code on the internet is perfectly safe for cut n paste use.:-D:-D

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • SQLRNNR (5/26/2015)


    Some of us might worry that all the code we've cut and pasted will have the same issue in many places

    Oh come on, all of the code on the internet is perfectly safe for cut n paste use.:-D:-D

    That's just not funn...oh OK it is funny. As much for those who DON'T consider it to be an issue :w00t:

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • We do penetration testing twice a year. Outside hacker agency does it for us.

    As for the cut'n'paste thing... we call that "CPR" for "Cut, Paste, and Replace". It's appropriate because you're either doing it in a crunch when you having a heart attack or you will have a heart attack when you implement it. 😛 To be sure though, NO code, no matter how urgent, makes it to production at work without running the peer review and QA gambits. It may be greatly accelerated, but it is never skipped.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • I think PEN testing is very important, but it needs to be coupled with social engineering attacks and training/education to be truly effective.

    Over lunch I was listening to an NPR Fresh Air podcast from last year talking about digital security and privacy in the aftermath of the Target et al hacks. The interviewee said the largest penetration of U.S. military networks was accomplished by a candy drop: someone left a thumb drive in the parking lot and a soldier picked it up and plugged it in to his work computer.

    The most scary/interesting thing said (so far) was that no MBA or executive training program teaches digital security. It should be a required seminar for anyone earning ANY degree, in my ever so humble opinion.

    -----
    [font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]

  • I would be pretty scared to not have control over who is doing the PEN testing. In reality, you are providing free license. With a contract + MOU you have a defined source of attack and ability to react as such.

    However, in this case, you have handed an anonymous "Get out of jail free" card out to anyone. If I were a hacker who was interested in the kind of data United holds, but scared of being busted, this would be a great time to make a move. If I found something I wanted, Score! If I was detected instead of getting away with my exploit, I was simply trying to earn some miles.

  • mitchellcstein (5/26/2015)


    I would be pretty scared to not have control over who is doing the PEN testing. In reality, you are providing free license. With a contract + MOU you have a defined source of attack and ability to react as such.

    However, in this case, you have handed an anonymous "Get out of jail free" card out to anyone. If I were a hacker who was interested in the kind of data United holds, but scared of being busted, this would be a great time to make a move. If I found something I wanted, Score! If I was detected instead of getting away with my exploit, I was simply trying to earn some miles.

    I would be extremely surprised if they hadn't covered that legally e.g. only granted permission for non-destructive access and explicitly disallowed retaining or other use of data.

    Also, remember that they are not opening up their systems as they are already open but just adding a legal scope for penetration testing.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • A part of our company will, unannounced, attempt to gain access to any server (SQL or otherwise) and change it. We put a small database on each server which they will try to alter data, truncate tables and drop objects.

    So far we've passed the test.

    -------------------------------Posting Data Etiquette - Jeff Moden [/url]Smart way to ask a question
    There are naive questions, tedious questions, ill-phrased questions, questions put after inadequate self-criticism. But every question is a cry to understand (the world). There is no such thing as a dumb question. ― Carl Sagan
    I would never join a club that would allow me as a member - Groucho Marx

  • An interesting challenge to be sure, but like Gary said, I'd be concerned that excluded parts would be hacked anyway. My sincere hope is that they've put so much work into bullet-proofing their systems and survived many penetration tests by vendors without anything being reported, that they want to have the public do the end-all test. I hope they're prepared, but playing this game with customer data makes it a very dangerous game to play.

    It takes either incredible confidence or foolishness to issue such a challenge. I guess the results will determine which one.

  • Ed Wagner (5/27/2015)


    An interesting challenge to be sure, but like Gary said, I'd be concerned that excluded parts would be hacked anyway. My sincere hope is that they've put so much work into bullet-proofing their systems and survived many penetration tests by vendors without anything being reported, that they want to have the public do the end-all test. I hope they're prepared, but playing this game with customer data makes it a very dangerous game to play.

    It takes either incredible confidence or foolishness to issue such a challenge. I guess the results will determine which one.

    I think that you missed my point. Technically, they have not opened themselves up for attack. They already were. They have just highlighted themselves as a willing target.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Gary Varga (5/27/2015)


    I would be extremely surprised if they hadn't covered that legally e.g. only granted permission for non-destructive access and explicitly disallowed retaining or other use of data.

    Also, remember that they are not opening up their systems as they are already open but just adding a legal scope for penetration testing.

    Possibly, but then that limits the kind of testing you can do. With security, you are not just talking prevention, but also mitigation. If someone breaches your network, are you able to keep them from having Godlike powers while inside. Are you looking for things like an outside IP address pulling down 1,000,000 rows? If you don't give permission for testers to try to pull down the million, how can they realistically test whether they can?

    In any case, this will be interesting to see if anyone does anything.

  • I know we should do this but am afraid that we would be penetrated fairly easily. We're working to make that better but it's an endless job.

  • Ed Wagner (5/27/2015)


    An interesting challenge to be sure, but like Gary said, I'd be concerned that excluded parts would be hacked anyway. My sincere hope is that they've put so much work into bullet-proofing their systems and survived many penetration tests by vendors without anything being reported, that they want to have the public do the end-all test. I hope they're prepared, but playing this game with customer data makes it a very dangerous game to play.

    It takes either incredible confidence or foolishness to issue such a challenge. I guess the results will determine which one.

    It's dangerous, but ultimately I think this is a better move. I suspect they're watching and can catch things more quickly than if they wait for some malicious attack.

    It's likely they're already getting hack attacks, and if there are customer data issues, we don't hear about it (and they have a lack of incentive to fix things). Now if someone breaks in, the lucky hacker might announce it publicly.

  • Stuart Davies (5/27/2015)


    A part of our company will, unannounced, attempt to gain access to any server (SQL or otherwise) and change it. We put a small database on each server which they will try to alter data, truncate tables and drop objects.

    So far we've passed the test.

    Good, but this assumes at attack on this database, repelled, implies that other databases on the instance couldn't be hacked. Probably some correlation, but not completely.

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic. Login to reply