October 19, 2015 at 11:41 pm
Comments posted to this topic are about the item Serious Hacking
October 20, 2015 at 12:29 am
Good luck with improving security.
Smaller ISV or IT departments have little or no idea about security and tend to have the attitude that "we are too small to be of any interest to hackers". The fact that the software then ends up in somewhat sensitive companies doesn't even have any traction in improving security.
At least bigger companies have to follow some governance. There will be an eventual trickle down affect of having to contemplate security for more than a microsecond by the smaller companies. Until then the weakest link will easy to break.
October 20, 2015 at 1:00 am
October 20, 2015 at 7:06 am
We need to audit more, and worry about the technology of security as one of many issues to address in the security space.
412-977-3526 call/text
October 20, 2015 at 8:03 am
Let's assume a hacker can gain access to a privileged account on a highly sensitive database, like the one belonging to the federal government's Office of Personnel Management.
(OK, let not just assume, let's just come to terms with the reality. :ermm:)
It makes me wonder how anyone (regardless of whether they are a hacker or the CIO) can download records for 40 million employees without tripping some type of database or network monitoring alert? Apparently someone opened a connection from an IP address external to the agency and downloaded GB of data. Is that a normal data usage pattern under in any context? I mean in the physical world it's one thing to have a security clearance to the top secret documents room, but it's another to leave the building carrying a wheel barrel full of documents. Even the janitor would know that don't look right. Surely we can come up something similar in concept for the realm of digital records.
So, are there any 3rd party tools, perhaps something like RedGate's SQL Monitor, that can monitor (or even block) suspicious data access patterns?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 20, 2015 at 8:18 am
According to the people in charge of the investigations letting people know how they are done would just encourage more people to try, rather than encouraging people to close the holes.
It doesn't do the security industry a lot of good to hide its practices.
412-977-3526 call/text
October 20, 2015 at 8:49 am
Yet Another DBA (10/20/2015)
Good luck with improving security.
I sense a disturbance in the sarcasm of our industry.
October 20, 2015 at 8:52 am
Eric M Russell (10/20/2015)
It makes me wonder how anyone (regardless of whether they are a hacker or the CIO) can download records for 40 million employees without tripping some type of database or network monitoring alert? Apparently someone opened a connection from an IP address external to the agency and downloaded GB of data. Is that a normal data usage pattern under in any context? I mean in the physical world it's one thing to have a security clearance to the top secret documents room, but it's another to leave the building carrying a wheel barrel full of documents. Even the janitor would know that don't look right. Surely we can come up something similar in concept for the realm of digital records.
Is it? Could an unbounded "select * from employees" ever happen in a database resulting from some search? An ETL job running that moves data from an OLTP system?
I think this type of data usage pattern is probably more common than you think. Also, who noted that this was 40mm records at once? I could see a hacker doing 40mm/26 queries. Getting all the As, Bs, etc
October 20, 2015 at 8:58 am
Steve Jones - SSC Editor (10/20/2015)
Is it? Could an unbounded "select * from employees" ever happen in a database resulting from some search? An ETL job running that moves data from an OLTP system?
again, why aren't we documenting what happened?
412-977-3526 call/text
October 20, 2015 at 8:58 am
I read an article recently about the CIA pulling its personnel from China who were there under embassy/trade covers. Since China pulled the entire OPM database, they know who works for the State Dept. Therefore, if you're in China, allegedly as an employee of State, and you're not listed as being in State, you're probably CIA.
If China wanted to, they could distribute this information around the world, thus ending the CIA.
There was a KGB agent who used old school methods to identify CIA agents with uncanny accuracy. One was the fact that CIA agents don't have much of a public biography, whereas State employees do. Also, when one CIA agent left an Embassy job, the person who came in to take his place took over the same apartment whereas normal State employees chose their own lodgings. CIA agents also had very odd travel and meeting hours.
Kind of interesting how information can be used in ways that you can never fully anticipate.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
October 20, 2015 at 9:45 am
Even when larger companies limit rights for developers, I've too often seen operations staff log in and allow developers to change systems to get them working.
What does 'get them working' means in this context? Does it mean having development environments configured so that developers can actually do development?
Too often, I've seen operations staff uncaring or unwilling to let developers get on with their jobs: development environments so constrained, some developers paid out of their own pockets to set up their own on Amazon.
There has to be a middle ground. Procedures can be established, with operations staff following a templated set of steps which quickly and efficiently set up secure development environments when needed.
October 20, 2015 at 10:52 am
Steve Jones - SSC Editor (10/20/2015)
Eric M Russell (10/20/2015)
It makes me wonder how anyone (regardless of whether they are a hacker or the CIO) can download records for 40 million employees without tripping some type of database or network monitoring alert? Apparently someone opened a connection from an IP address external to the agency and downloaded GB of data. Is that a normal data usage pattern under in any context? I mean in the physical world it's one thing to have a security clearance to the top secret documents room, but it's another to leave the building carrying a wheel barrel full of documents. Even the janitor would know that don't look right. Surely we can come up something similar in concept for the realm of digital records.Is it? Could an unbounded "select * from employees" ever happen in a database resulting from some search? An ETL job running that moves data from an OLTP system?
I think this type of data usage pattern is probably more common than you think. Also, who noted that this was 40mm records at once? I could see a hacker doing 40mm/26 queries. Getting all the As, Bs, etc
Within the context of this specific database we're talking about, a query like "select * from employees" is suspicious, unless it's from a specific account used for ETL and within a narrow operational window. Also, a query like "select * from employees where LastName like 'A%'" is also suspicious, even if it returns only a few thousand record. I'm not asking that a database monitoring tool automatically detect intrusions out of the box, executive management and the IT department itself would have to define the rules based on what they know about the use case of their own database. The tool would just provide a framework.
Maybe the post-9/11 idea, that information must be open and freely accessible between agencies, has been taken a bit too far and needs to be reigned in. I'm not sure to what extent that contributes to the recent explosion of data breaches, but I can't help but suspect that it's a factor. Like I mentioned earlier, a database containing the personal info of State Department and CIA employees should be treated with the same level of scrutiny as a vault style room with armed guards containing paper files with the same level of sensitive information. Maybe the old way is the best way... when it comes to certain types of data. I know there are probably a lot of old timers at the CIA today that are having feeling of F.U.D. about the state of our nation's digital security.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 20, 2015 at 12:13 pm
The only way programmers are going to devote time and efforts to secure data services is when manager / executives are personally liable, whether it be fear of being fired or actual liable, for someone hacking into a system.
Otherwise this talk about hacking is just a lot of about technology on "what-should-of-been" and will not be addressed, now or in the future.
October 20, 2015 at 12:45 pm
Steve Jones - SSC Editor (10/20/2015)
Yet Another DBA (10/20/2015)
Good luck with improving security.I sense a disturbance in the sarcasm of our industry.
- as if millions of voices suddenly cried out in terror "make this secure" and were suddenly silenced ?
October 20, 2015 at 2:11 pm
The government is quick to fine, and even civilly charge private companies and individuals for data loss. And here (as in many cases before this) their screw up is among the worst. The pot and the kettle.
Same occurred with the accidental release of toxic water in Colorado. If a private operator had done this fines would be obscene and probably someone would be jailed. Since the EPA did it, I'm sure we won't see much retribution.
...
-- FORTRAN manual for Xerox Computers --
Viewing 15 posts - 1 through 15 (of 27 total)
You must be logged in to reply to this topic. Login to reply